Skip to content

Commit 1c1274a

Browse files
Jon Maloydavem330
Jon Maloy
authored and
davem330
committed
tipc: don't assume linear buffer when reading ancillary data
The code for reading ancillary data from a received buffer is assuming the buffer is linear. To make this assumption true we have to linearize the buffer before message data is read. Signed-off-by: Jon Maloy <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent adba75b commit 1c1274a

File tree

1 file changed

+11
-4
lines changed

1 file changed

+11
-4
lines changed

net/tipc/socket.c

+11-4
Original file line numberDiff line numberDiff line change
@@ -1555,16 +1555,17 @@ static void tipc_sk_set_orig_addr(struct msghdr *m, struct sk_buff *skb)
15551555
/**
15561556
* tipc_sk_anc_data_recv - optionally capture ancillary data for received message
15571557
* @m: descriptor for message info
1558-
* @msg: received message header
1558+
* @skb: received message buffer
15591559
* @tsk: TIPC port associated with message
15601560
*
15611561
* Note: Ancillary data is not captured if not requested by receiver.
15621562
*
15631563
* Returns 0 if successful, otherwise errno
15641564
*/
1565-
static int tipc_sk_anc_data_recv(struct msghdr *m, struct tipc_msg *msg,
1565+
static int tipc_sk_anc_data_recv(struct msghdr *m, struct sk_buff *skb,
15661566
struct tipc_sock *tsk)
15671567
{
1568+
struct tipc_msg *msg;
15681569
u32 anc_data[3];
15691570
u32 err;
15701571
u32 dest_type;
@@ -1573,6 +1574,7 @@ static int tipc_sk_anc_data_recv(struct msghdr *m, struct tipc_msg *msg,
15731574

15741575
if (likely(m->msg_controllen == 0))
15751576
return 0;
1577+
msg = buf_msg(skb);
15761578

15771579
/* Optionally capture errored message object(s) */
15781580
err = msg ? msg_errcode(msg) : 0;
@@ -1583,6 +1585,9 @@ static int tipc_sk_anc_data_recv(struct msghdr *m, struct tipc_msg *msg,
15831585
if (res)
15841586
return res;
15851587
if (anc_data[1]) {
1588+
if (skb_linearize(skb))
1589+
return -ENOMEM;
1590+
msg = buf_msg(skb);
15861591
res = put_cmsg(m, SOL_TIPC, TIPC_RETDATA, anc_data[1],
15871592
msg_data(msg));
15881593
if (res)
@@ -1744,9 +1749,10 @@ static int tipc_recvmsg(struct socket *sock, struct msghdr *m,
17441749

17451750
/* Collect msg meta data, including error code and rejected data */
17461751
tipc_sk_set_orig_addr(m, skb);
1747-
rc = tipc_sk_anc_data_recv(m, hdr, tsk);
1752+
rc = tipc_sk_anc_data_recv(m, skb, tsk);
17481753
if (unlikely(rc))
17491754
goto exit;
1755+
hdr = buf_msg(skb);
17501756

17511757
/* Capture data if non-error msg, otherwise just set return value */
17521758
if (likely(!err)) {
@@ -1856,9 +1862,10 @@ static int tipc_recvstream(struct socket *sock, struct msghdr *m,
18561862
/* Collect msg meta data, incl. error code and rejected data */
18571863
if (!copied) {
18581864
tipc_sk_set_orig_addr(m, skb);
1859-
rc = tipc_sk_anc_data_recv(m, hdr, tsk);
1865+
rc = tipc_sk_anc_data_recv(m, skb, tsk);
18601866
if (rc)
18611867
break;
1868+
hdr = buf_msg(skb);
18621869
}
18631870

18641871
/* Copy data if msg ok, otherwise return error/partial data */

0 commit comments

Comments
 (0)