Patch "tipc: fix incorrect order of state message data sanity check" has been added to the 5.16-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 12 Mar 2022 03:55:59 -0500

This is a note to let you know that I've just added the patch titled

    tipc: fix incorrect order of state message data sanity check

to the 5.16-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tipc-fix-incorrect-order-of-state-message-data-sanit.patch
and it can be found in the queue-5.16 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 71700ebee47c9d0cb409c438be69bf437d31148d
Author: Tung Nguyen <tung.q.nguyen@xxxxxxxxxxxxxx>
Date:   Tue Mar 8 02:11:59 2022 +0000

    tipc: fix incorrect order of state message data sanity check
    
    [ Upstream commit c79fcc27be90b308b3fa90811aefafdd4078668c ]
    
    When receiving a state message, function tipc_link_validate_msg()
    is called to validate its header portion. Then, its data portion
    is validated before it can be accessed correctly. However, current
    data sanity  check is done after the message header is accessed to
    update some link variables.
    
    This commit fixes this issue by moving the data sanity check to
    the beginning of state message handling and right after the header
    sanity check.
    
    Fixes: 9aa422ad3266 ("tipc: improve size validations for received domain records")
    Acked-by: Jon Maloy <jmaloy@xxxxxxxxxx>
    Signed-off-by: Tung Nguyen <tung.q.nguyen@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220308021200.9245-1-tung.q.nguyen@xxxxxxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tipc/link.c b/net/tipc/link.c
index 4e7936d9b442..115a4a7950f5 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2285,6 +2285,11 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 		break;
 
 	case STATE_MSG:
+		/* Validate Gap ACK blocks, drop if invalid */
+		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
+		if (glen > dlen)
+			break;
+
 		l->rcv_nxt_state = msg_seqno(hdr) + 1;
 
 		/* Update own tolerance if peer indicates a non-zero value */
@@ -2310,10 +2315,6 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 			break;
 		}
 
-		/* Receive Gap ACK blocks from peer if any */
-		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
-		if(glen > dlen)
-			break;
 		tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
 			     &l->mon_state, l->bearer_id);
 






