diff options
author | Allan Stephens <allan.stephens@windriver.com> | 2008-06-05 02:36:58 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-06-05 02:36:58 +0200 |
commit | 9c396a7bfb4fe74e444be09069651280da520944 (patch) | |
tree | e0cffbc27f334c928221aef12279045149173546 | |
parent | tipc: Minor optimizations to received message processing (diff) | |
download | linux-9c396a7bfb4fe74e444be09069651280da520944.tar.xz linux-9c396a7bfb4fe74e444be09069651280da520944.zip |
tipc: Prevent access of non-existent field in short message header
This patch eliminates a case where TIPC's link code could try reading
a field that is not present in a short message header. (The random
value obtained was not being used, but the read operation could result
in an invalid memory access exception in extremely rare circumstances.)
Signed-off-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/tipc/link.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c index c62ebfea9304..022cb2f107ac 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -2674,10 +2674,12 @@ int tipc_link_send_long_buf(struct link *l_ptr, struct sk_buff *buf) u32 pack_sz = link_max_pkt(l_ptr); u32 fragm_sz = pack_sz - INT_H_SIZE; u32 fragm_no = 1; - u32 destaddr = msg_destnode(inmsg); + u32 destaddr; if (msg_short(inmsg)) destaddr = l_ptr->addr; + else + destaddr = msg_destnode(inmsg); if (msg_routed(inmsg)) msg_set_prevnode(inmsg, tipc_own_addr); |