tipc: Abort excessive send requests as early as possible
Adds checks to TIPC's socket send routines to promptly detect and abort attempts to send more than 66,000 bytes in a single TIPC message or more than 2**31-1 bytes in a single TIPC byte stream request. In addition, this ensures that the number of iovecs in a send request does not exceed the limits of a standard integer variable. Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
This commit is contained in:
parent
66e019a6af
commit
c29c3f70c9
2 changed files with 14 additions and 1 deletions
|
@ -101,7 +101,7 @@ static inline unsigned int tipc_node(__u32 addr)
|
|||
* Limiting values for messages
|
||||
*/
|
||||
|
||||
#define TIPC_MAX_USER_MSG_SIZE 66000
|
||||
#define TIPC_MAX_USER_MSG_SIZE 66000U
|
||||
|
||||
/*
|
||||
* Message importance levels
|
||||
|
|
|
@ -535,6 +535,9 @@ static int send_msg(struct kiocb *iocb, struct socket *sock,
|
|||
if (unlikely((m->msg_namelen < sizeof(*dest)) ||
|
||||
(dest->family != AF_TIPC)))
|
||||
return -EINVAL;
|
||||
if ((total_len > TIPC_MAX_USER_MSG_SIZE) ||
|
||||
(m->msg_iovlen > (unsigned)INT_MAX))
|
||||
return -EMSGSIZE;
|
||||
|
||||
if (iocb)
|
||||
lock_sock(sk);
|
||||
|
@ -640,6 +643,10 @@ static int send_packet(struct kiocb *iocb, struct socket *sock,
|
|||
if (unlikely(dest))
|
||||
return send_msg(iocb, sock, m, total_len);
|
||||
|
||||
if ((total_len > TIPC_MAX_USER_MSG_SIZE) ||
|
||||
(m->msg_iovlen > (unsigned)INT_MAX))
|
||||
return -EMSGSIZE;
|
||||
|
||||
if (iocb)
|
||||
lock_sock(sk);
|
||||
|
||||
|
@ -723,6 +730,12 @@ static int send_stream(struct kiocb *iocb, struct socket *sock,
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if ((total_len > (unsigned)INT_MAX) ||
|
||||
(m->msg_iovlen > (unsigned)INT_MAX)) {
|
||||
res = -EMSGSIZE;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/*
|
||||
* Send each iovec entry using one or more messages
|
||||
*
|
||||
|
|
Loading…
Reference in a new issue