Skip to content

Commit 297f7d2

Browse files
splovingdavem330
sploving
authored and
davem330
committed
tipc: fix potential null pointer dereferences in some compat functions
Before calling the nla_parse_nested function, make sure the pointer to the attribute is not null. This patch fixes several potential null pointer dereference vulnerabilities in the tipc netlink functions. Signed-off-by: Baozeng Ding <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent ec7c7f5 commit 297f7d2

File tree

1 file changed

+93
-18
lines changed

1 file changed

+93
-18
lines changed

net/tipc/netlink_compat.c

Lines changed: 93 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -346,9 +346,15 @@ static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg,
346346
struct nlattr **attrs)
347347
{
348348
struct nlattr *bearer[TIPC_NLA_BEARER_MAX + 1];
349+
int err;
350+
351+
if (!attrs[TIPC_NLA_BEARER])
352+
return -EINVAL;
349353

350-
nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX, attrs[TIPC_NLA_BEARER],
351-
NULL);
354+
err = nla_parse_nested(bearer, TIPC_NLA_BEARER_MAX,
355+
attrs[TIPC_NLA_BEARER], NULL);
356+
if (err)
357+
return err;
352358

353359
return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME,
354360
nla_data(bearer[TIPC_NLA_BEARER_NAME]),
@@ -460,14 +466,31 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
460466
struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
461467
struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
462468
struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
469+
int err;
463470

464-
nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
471+
if (!attrs[TIPC_NLA_LINK])
472+
return -EINVAL;
465473

466-
nla_parse_nested(prop, TIPC_NLA_PROP_MAX, link[TIPC_NLA_LINK_PROP],
467-
NULL);
474+
err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK],
475+
NULL);
476+
if (err)
477+
return err;
478+
479+
if (!link[TIPC_NLA_LINK_PROP])
480+
return -EINVAL;
468481

469-
nla_parse_nested(stats, TIPC_NLA_STATS_MAX, link[TIPC_NLA_LINK_STATS],
470-
NULL);
482+
err = nla_parse_nested(prop, TIPC_NLA_PROP_MAX,
483+
link[TIPC_NLA_LINK_PROP], NULL);
484+
if (err)
485+
return err;
486+
487+
if (!link[TIPC_NLA_LINK_STATS])
488+
return -EINVAL;
489+
490+
err = nla_parse_nested(stats, TIPC_NLA_STATS_MAX,
491+
link[TIPC_NLA_LINK_STATS], NULL);
492+
if (err)
493+
return err;
471494

472495
name = (char *)TLV_DATA(msg->req);
473496
if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
@@ -569,8 +592,15 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
569592
{
570593
struct nlattr *link[TIPC_NLA_LINK_MAX + 1];
571594
struct tipc_link_info link_info;
595+
int err;
572596

573-
nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK], NULL);
597+
if (!attrs[TIPC_NLA_LINK])
598+
return -EINVAL;
599+
600+
err = nla_parse_nested(link, TIPC_NLA_LINK_MAX, attrs[TIPC_NLA_LINK],
601+
NULL);
602+
if (err)
603+
return err;
574604

575605
link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
576606
link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
@@ -758,12 +788,23 @@ static int tipc_nl_compat_name_table_dump(struct tipc_nl_compat_msg *msg,
758788
u32 node, depth, type, lowbound, upbound;
759789
static const char * const scope_str[] = {"", " zone", " cluster",
760790
" node"};
791+
int err;
761792

762-
nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
763-
attrs[TIPC_NLA_NAME_TABLE], NULL);
793+
if (!attrs[TIPC_NLA_NAME_TABLE])
794+
return -EINVAL;
764795

765-
nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, nt[TIPC_NLA_NAME_TABLE_PUBL],
766-
NULL);
796+
err = nla_parse_nested(nt, TIPC_NLA_NAME_TABLE_MAX,
797+
attrs[TIPC_NLA_NAME_TABLE], NULL);
798+
if (err)
799+
return err;
800+
801+
if (!nt[TIPC_NLA_NAME_TABLE_PUBL])
802+
return -EINVAL;
803+
804+
err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX,
805+
nt[TIPC_NLA_NAME_TABLE_PUBL], NULL);
806+
if (err)
807+
return err;
767808

768809
ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req);
769810

@@ -815,8 +856,15 @@ static int __tipc_nl_compat_publ_dump(struct tipc_nl_compat_msg *msg,
815856
{
816857
u32 type, lower, upper;
817858
struct nlattr *publ[TIPC_NLA_PUBL_MAX + 1];
859+
int err;
818860

819-
nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, attrs[TIPC_NLA_PUBL], NULL);
861+
if (!attrs[TIPC_NLA_PUBL])
862+
return -EINVAL;
863+
864+
err = nla_parse_nested(publ, TIPC_NLA_PUBL_MAX, attrs[TIPC_NLA_PUBL],
865+
NULL);
866+
if (err)
867+
return err;
820868

821869
type = nla_get_u32(publ[TIPC_NLA_PUBL_TYPE]);
822870
lower = nla_get_u32(publ[TIPC_NLA_PUBL_LOWER]);
@@ -876,7 +924,13 @@ static int tipc_nl_compat_sk_dump(struct tipc_nl_compat_msg *msg,
876924
u32 sock_ref;
877925
struct nlattr *sock[TIPC_NLA_SOCK_MAX + 1];
878926

879-
nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, attrs[TIPC_NLA_SOCK], NULL);
927+
if (!attrs[TIPC_NLA_SOCK])
928+
return -EINVAL;
929+
930+
err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX, attrs[TIPC_NLA_SOCK],
931+
NULL);
932+
if (err)
933+
return err;
880934

881935
sock_ref = nla_get_u32(sock[TIPC_NLA_SOCK_REF]);
882936
tipc_tlv_sprintf(msg->rep, "%u:", sock_ref);
@@ -917,9 +971,15 @@ static int tipc_nl_compat_media_dump(struct tipc_nl_compat_msg *msg,
917971
struct nlattr **attrs)
918972
{
919973
struct nlattr *media[TIPC_NLA_MEDIA_MAX + 1];
974+
int err;
975+
976+
if (!attrs[TIPC_NLA_MEDIA])
977+
return -EINVAL;
920978

921-
nla_parse_nested(media, TIPC_NLA_MEDIA_MAX, attrs[TIPC_NLA_MEDIA],
922-
NULL);
979+
err = nla_parse_nested(media, TIPC_NLA_MEDIA_MAX, attrs[TIPC_NLA_MEDIA],
980+
NULL);
981+
if (err)
982+
return err;
923983

924984
return tipc_add_tlv(msg->rep, TIPC_TLV_MEDIA_NAME,
925985
nla_data(media[TIPC_NLA_MEDIA_NAME]),
@@ -931,8 +991,15 @@ static int tipc_nl_compat_node_dump(struct tipc_nl_compat_msg *msg,
931991
{
932992
struct tipc_node_info node_info;
933993
struct nlattr *node[TIPC_NLA_NODE_MAX + 1];
994+
int err;
934995

935-
nla_parse_nested(node, TIPC_NLA_NODE_MAX, attrs[TIPC_NLA_NODE], NULL);
996+
if (!attrs[TIPC_NLA_NODE])
997+
return -EINVAL;
998+
999+
err = nla_parse_nested(node, TIPC_NLA_NODE_MAX, attrs[TIPC_NLA_NODE],
1000+
NULL);
1001+
if (err)
1002+
return err;
9361003

9371004
node_info.addr = htonl(nla_get_u32(node[TIPC_NLA_NODE_ADDR]));
9381005
node_info.up = htonl(nla_get_flag(node[TIPC_NLA_NODE_UP]));
@@ -971,8 +1038,16 @@ static int tipc_nl_compat_net_dump(struct tipc_nl_compat_msg *msg,
9711038
{
9721039
__be32 id;
9731040
struct nlattr *net[TIPC_NLA_NET_MAX + 1];
1041+
int err;
1042+
1043+
if (!attrs[TIPC_NLA_NET])
1044+
return -EINVAL;
1045+
1046+
err = nla_parse_nested(net, TIPC_NLA_NET_MAX, attrs[TIPC_NLA_NET],
1047+
NULL);
1048+
if (err)
1049+
return err;
9741050

975-
nla_parse_nested(net, TIPC_NLA_NET_MAX, attrs[TIPC_NLA_NET], NULL);
9761051
id = htonl(nla_get_u32(net[TIPC_NLA_NET_ID]));
9771052

9781053
return tipc_add_tlv(msg->rep, TIPC_TLV_UNSIGNED, &id, sizeof(id));

0 commit comments

Comments
 (0)