summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAllan Stephens <allan.stephens@windriver.com>2008-06-05 02:36:58 +0200
committerDavid S. Miller <davem@davemloft.net>2008-06-05 02:36:58 +0200
commit9c396a7bfb4fe74e444be09069651280da520944 (patch)
treee0cffbc27f334c928221aef12279045149173546
parenttipc: Minor optimizations to received message processing (diff)
downloadlinux-9c396a7bfb4fe74e444be09069651280da520944.tar.xz
linux-9c396a7bfb4fe74e444be09069651280da520944.zip
tipc: Prevent access of non-existent field in short message header
This patch eliminates a case where TIPC's link code could try reading a field that is not present in a short message header. (The random value obtained was not being used, but the read operation could result in an invalid memory access exception in extremely rare circumstances.) Signed-off-by: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/tipc/link.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c
index c62ebfea9304..022cb2f107ac 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2674,10 +2674,12 @@ int tipc_link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
u32 pack_sz = link_max_pkt(l_ptr);
u32 fragm_sz = pack_sz - INT_H_SIZE;
u32 fragm_no = 1;
- u32 destaddr = msg_destnode(inmsg);
+ u32 destaddr;
if (msg_short(inmsg))
destaddr = l_ptr->addr;
+ else
+ destaddr = msg_destnode(inmsg);
if (msg_routed(inmsg))
msg_set_prevnode(inmsg, tipc_own_addr);