diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-05-06 08:28:41 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-05-06 16:16:52 -0400 |
commit | cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc (patch) | |
tree | cedc736240969480891ff4bb5de7b32d8b448e42 | |
parent | ac718b69301c7c07cd0d858570f76a0e1c4c8726 (diff) | |
download | linux-cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc.tar.gz linux-cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc.tar.bz2 linux-cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc.zip |
tipc: add a bounds check in link_recv_changeover_msg()
The bearer_id here comes from skb->data and it can be a number from 0 to
7. The problem is that the ->links[] array has only 2 elements so I
have added a range check.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/tipc/link.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c index daa6080a2a0c..3a6064b3d666 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -2306,8 +2306,11 @@ static int link_recv_changeover_msg(struct tipc_link **l_ptr, struct tipc_msg *tunnel_msg = buf_msg(tunnel_buf); u32 msg_typ = msg_type(tunnel_msg); u32 msg_count = msg_msgcnt(tunnel_msg); + u32 bearer_id = msg_bearer_id(tunnel_msg); - dest_link = (*l_ptr)->owner->links[msg_bearer_id(tunnel_msg)]; + if (bearer_id >= MAX_BEARERS) + goto exit; + dest_link = (*l_ptr)->owner->links[bearer_id]; if (!dest_link) goto exit; if (dest_link == *l_ptr) { |