tipc: fix out of bounds indexing

Commit 78acb1f9b898e85fa2c1e28e700b54b66b288e8d ("tipc: add
ioctl to fetch link names") introduced a buffer overflow bug where
specially crafted ioctl requests could cause out-of-bounds indexing
of the node->links array. This was caused by an incorrect check vs
MAX_BEARERS, and the static code checker complaint is:
net/tipc/node.c:459 tipc_node_get_linkname() error: buffer overflow 'node->links' 2 <= 2

Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/tipc/node.c b/net/tipc/node.c
index 1f938f3dba4b63fb2c16741796bf8c5e0990606a..6d6543e88c2ce9ecbd627d5714fbe4953cdf2ffc 100644 (file)
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -453,7 +453,7 @@ int tipc_node_get_linkname(u32 bearer_id, u32 addr, char *linkname, size_t len)
        struct tipc_link *link;
        struct tipc_node *node = tipc_node_find(addr);
 
-       if ((bearer_id > MAX_BEARERS) || !node)
+       if ((bearer_id >= MAX_BEARERS) || !node)
                return -EINVAL;
        tipc_node_lock(node);
        link = node->links[bearer_id];