From: Erik Hugne Date: Mon, 28 Apr 2014 06:20:09 +0000 (+0200) Subject: tipc: fix out of bounds indexing X-Git-Tag: firefly_0821_release~176^2~3765^2~298 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=d7bb74c38cb3de40600dcbba50a4f84df290dc91;p=firefly-linux-kernel-4.4.55.git tipc: fix out of bounds indexing Commit 78acb1f9b898e85fa2c1e28e700b54b66b288e8d ("tipc: add ioctl to fetch link names") introduced a buffer overflow bug where specially crafted ioctl requests could cause out-of-bounds indexing of the node->links array. This was caused by an incorrect check vs MAX_BEARERS, and the static code checker complaint is: net/tipc/node.c:459 tipc_node_get_linkname() error: buffer overflow 'node->links' 2 <= 2 Signed-off-by: Erik Hugne Reported-by: Dan Carpenter Signed-off-by: David S. Miller --- diff --git a/net/tipc/node.c b/net/tipc/node.c index 1f938f3dba4b..6d6543e88c2c 100644 --- a/net/tipc/node.c +++ b/net/tipc/node.c @@ -453,7 +453,7 @@ int tipc_node_get_linkname(u32 bearer_id, u32 addr, char *linkname, size_t len) struct tipc_link *link; struct tipc_node *node = tipc_node_find(addr); - if ((bearer_id > MAX_BEARERS) || !node) + if ((bearer_id >= MAX_BEARERS) || !node) return -EINVAL; tipc_node_lock(node); link = node->links[bearer_id];