On 7/30/19 6:15 AM, Taras Kondratiuk wrote:
> Commit 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit")
> broke older tipc tools that use compat interface (e.g. tipc-config from
> tipcutils package):
>
> % tipc-config -p
> operation not supported
>
> The commit started to reject TIPC netlink compat messages that do not
> have attributes. It is too restrictive because some of such messages are
> valid (they don't need any arguments):
>
> % grep 'tx none' include/uapi/linux/tipc_config.h
> #define TIPC_CMD_NOOP 0x0000 /* tx none, rx none */
> #define TIPC_CMD_GET_MEDIA_NAMES 0x0002 /* tx none, rx media_name(s) */
> #define TIPC_CMD_GET_BEARER_NAMES 0x0003 /* tx none, rx bearer_name(s) */
> #define TIPC_CMD_SHOW_PORTS 0x0006 /* tx none, rx ultra_string */
> #define TIPC_CMD_GET_REMOTE_MNG 0x4003 /* tx none, rx unsigned */
> #define TIPC_CMD_GET_MAX_PORTS 0x4004 /* tx none, rx unsigned */
> #define TIPC_CMD_GET_NETID 0x400B /* tx none, rx unsigned */
> #define TIPC_CMD_NOT_NET_ADMIN 0xC001 /* tx none, rx none */
>
> This patch relaxes the original fix and rejects messages without
> arguments only if such arguments are expected by a command (reg_type is
> non zero).
>
> Fixes: 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Taras Kondratiuk <takondra@xxxxxxxxx>
Acked-by: Ying Xue <ying.xue@xxxxxxxxxxxxx>
> ---
> The patch is based on v5.3-rc2.
>
> net/tipc/netlink_compat.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
> index d86030ef1232..e135d4e11231 100644
> --- a/net/tipc/netlink_compat.c
> +++ b/net/tipc/netlink_compat.c
> @@ -55,6 +55,7 @@ struct tipc_nl_compat_msg {
> int rep_type;
> int rep_size;
> int req_type;
> + int req_size;
> struct net *net;
> struct sk_buff *rep;
> struct tlv_desc *req;
> @@ -257,7 +258,8 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
> int err;
> struct sk_buff *arg;
>
> - if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
> + if (msg->req_type && (!msg->req_size ||
> + !TLV_CHECK_TYPE(msg->req, msg->req_type)))
> return -EINVAL;
>
> msg->rep = tipc_tlv_alloc(msg->rep_size);
> @@ -354,7 +356,8 @@ static int tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd,
> {
> int err;
>
> - if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
> + if (msg->req_type && (!msg->req_size ||
> + !TLV_CHECK_TYPE(msg->req, msg->req_type)))
> return -EINVAL;
>
> err = __tipc_nl_compat_doit(cmd, msg);
> @@ -1278,8 +1281,8 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info)
> goto send;
> }
>
> - len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
> - if (!len || !TLV_OK(msg.req, len)) {
> + msg.req_size = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
> + if (msg.req_size && !TLV_OK(msg.req, msg.req_size)) {
> msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED);
> err = -EOPNOTSUPP;
> goto send;
>
