summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2013-05-06 08:28:41 +0000
committerDavid S. Miller <davem@davemloft.net>2013-05-06 16:16:52 -0400
commitcb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc (patch)
treecedc736240969480891ff4bb5de7b32d8b448e42
parentac718b69301c7c07cd0d858570f76a0e1c4c8726 (diff)
downloadlinux-cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc.tar.gz
linux-cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc.tar.bz2
linux-cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc.zip
tipc: add a bounds check in link_recv_changeover_msg()
The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/tipc/link.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c
index daa6080a2a0c..3a6064b3d666 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2306,8 +2306,11 @@ static int link_recv_changeover_msg(struct tipc_link **l_ptr,
struct tipc_msg *tunnel_msg = buf_msg(tunnel_buf);
u32 msg_typ = msg_type(tunnel_msg);
u32 msg_count = msg_msgcnt(tunnel_msg);
+ u32 bearer_id = msg_bearer_id(tunnel_msg);
- dest_link = (*l_ptr)->owner->links[msg_bearer_id(tunnel_msg)];
+ if (bearer_id >= MAX_BEARERS)
+ goto exit;
+ dest_link = (*l_ptr)->owner->links[bearer_id];
if (!dest_link)
goto exit;
if (dest_link == *l_ptr) {