tipc: fix possible crash in __tipc_nl_net_set()

syzbot reported a crash in __tipc_nl_net_set() caused by NULL dereference. We need to check that both TIPC_NLA_NET_NODEID and TIPC_NLA_NET_NODEID_W1 are present. We also need to make sure userland provided u64 attributes. Fixes: d50ccc2d3909 ("tipc: add 128-bit node identifier") Signed-off-by: Eric Dumazet <[email protected]> Cc: Jon Maloy <[email protected]> Cc: Ying Xue <[email protected]> Reported-by: syzbot <[email protected]> Signed-off-by: David S. Miller <[email protected]>
author: Eric Dumazet <[email protected]> 2018-04-16 15:29:43 +0000
committer: David S. Miller <[email protected]> 2018-04-16 22:08:18 +0000
commit: c6404122cb18f1fbd2a6dc85ab687f6fa2e454cf (patch)
tree: 446adab675af1e507ab048a2efe35edd427fdd34 /net/tipc/net.c
parent: tipc: add policy for TIPC_NLA_NET_ADDR (diff)
download: kernel-c6404122cb18f1fbd2a6dc85ab687f6fa2e454cf.tar.gz
kernel-c6404122cb18f1fbd2a6dc85ab687f6fa2e454cf.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/net/tipc/net.c b/net/tipc/net.c
index 856f9e97ea29..4fbaa0464405 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -252,6 +252,8 @@ int __tipc_nl_net_set(struct sk_buff *skb, struct genl_info *info)
 		u64 *w0 = (u64 *)&node_id[0];
 		u64 *w1 = (u64 *)&node_id[8];
 
+		if (!attrs[TIPC_NLA_NET_NODEID_W1])
+			return -EINVAL;
 		*w0 = nla_get_u64(attrs[TIPC_NLA_NET_NODEID]);
 		*w1 = nla_get_u64(attrs[TIPC_NLA_NET_NODEID_W1]);
 		tipc_net_init(net, node_id, 0);
author	Eric Dumazet <[email protected]>	2018-04-16 15:29:43 +0000
committer	David S. Miller <[email protected]>	2018-04-16 22:08:18 +0000
commit	c6404122cb18f1fbd2a6dc85ab687f6fa2e454cf (patch)
tree	446adab675af1e507ab048a2efe35edd427fdd34 /net/tipc/net.c
parent	tipc: add policy for TIPC_NLA_NET_ADDR (diff)
download	kernel-c6404122cb18f1fbd2a6dc85ab687f6fa2e454cf.tar.gz kernel-c6404122cb18f1fbd2a6dc85ab687f6fa2e454cf.zip