From d7bb74c38cb3de40600dcbba50a4f84df290dc91 Mon Sep 17 00:00:00 2001
From: Erik Hugne <erik.hugne@ericsson.com>
Date: Mon, 28 Apr 2014 08:20:09 +0200
Subject: tipc: fix out of bounds indexing

Commit 78acb1f9b898e85fa2c1e28e700b54b66b288e8d ("tipc: add
ioctl to fetch link names") introduced a buffer overflow bug where
specially crafted ioctl requests could cause out-of-bounds indexing
of the node->links array. This was caused by an incorrect check vs
MAX_BEARERS, and the static code checker complaint is:
net/tipc/node.c:459 tipc_node_get_linkname() error: buffer overflow 'node->links' 2 <= 2

Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/tipc/node.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'net/tipc')

diff --git a/net/tipc/node.c b/net/tipc/node.c
index 1f938f3dba4b..6d6543e88c2c 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -453,7 +453,7 @@ int tipc_node_get_linkname(u32 bearer_id, u32 addr, char *linkname, size_t len)
 	struct tipc_link *link;
 	struct tipc_node *node = tipc_node_find(addr);
 
-	if ((bearer_id > MAX_BEARERS) || !node)
+	if ((bearer_id >= MAX_BEARERS) || !node)
 		return -EINVAL;
 	tipc_node_lock(node);
 	link = node->links[bearer_id];
-- 
cgit v1.2.3