diff options
author | Allan Stephens <Allan.Stephens@windriver.com> | 2010-04-20 17:58:24 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-05-10 16:03:56 -0400 |
commit | c29c3f70c9eb6f18090da5af9dbe9dcb4adece8c (patch) | |
tree | 28521412e2c927952bd4fea9dbae49db55b12f16 /net/tipc | |
parent | 66e019a6af827a254641e83e96ee36b0f4adc5e3 (diff) | |
download | lwn-c29c3f70c9eb6f18090da5af9dbe9dcb4adece8c.tar.gz lwn-c29c3f70c9eb6f18090da5af9dbe9dcb4adece8c.zip |
tipc: Abort excessive send requests as early as possible
Adds checks to TIPC's socket send routines to promptly detect and
abort attempts to send more than 66,000 bytes in a single TIPC
message or more than 2**31-1 bytes in a single TIPC byte stream request.
In addition, this ensures that the number of iovecs in a send request
does not exceed the limits of a standard integer variable.
Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Diffstat (limited to 'net/tipc')
-rw-r--r-- | net/tipc/socket.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 29d94d53198d..e1c791798ba1 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -535,6 +535,9 @@ static int send_msg(struct kiocb *iocb, struct socket *sock, if (unlikely((m->msg_namelen < sizeof(*dest)) || (dest->family != AF_TIPC))) return -EINVAL; + if ((total_len > TIPC_MAX_USER_MSG_SIZE) || + (m->msg_iovlen > (unsigned)INT_MAX)) + return -EMSGSIZE; if (iocb) lock_sock(sk); @@ -640,6 +643,10 @@ static int send_packet(struct kiocb *iocb, struct socket *sock, if (unlikely(dest)) return send_msg(iocb, sock, m, total_len); + if ((total_len > TIPC_MAX_USER_MSG_SIZE) || + (m->msg_iovlen > (unsigned)INT_MAX)) + return -EMSGSIZE; + if (iocb) lock_sock(sk); @@ -723,6 +730,12 @@ static int send_stream(struct kiocb *iocb, struct socket *sock, goto exit; } + if ((total_len > (unsigned)INT_MAX) || + (m->msg_iovlen > (unsigned)INT_MAX)) { + res = -EMSGSIZE; + goto exit; + } + /* * Send each iovec entry using one or more messages * |