tipc: Abort excessive send requests as early as possible
Adds checks to TIPC's socket send routines to promptly detect and
abort attempts to send more than 66,000 bytes in a single TIPC
message or more than 2**31-1 bytes in a single TIPC byte stream request.
In addition, this ensures that the number of iovecs in a send request
does not exceed the limits of a standard integer variable.
Signed-off-by: Allan Stephens <Allan.Stephens@windriver.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
diff --git a/include/linux/tipc.h b/include/linux/tipc.h
index a5b994a..f2d9009 100644
--- a/include/linux/tipc.h
+++ b/include/linux/tipc.h
@@ -101,7 +101,7 @@
* Limiting values for messages
*/
-#define TIPC_MAX_USER_MSG_SIZE 66000
+#define TIPC_MAX_USER_MSG_SIZE 66000U
/*
* Message importance levels
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 29d94d5..e1c7917 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -535,6 +535,9 @@
if (unlikely((m->msg_namelen < sizeof(*dest)) ||
(dest->family != AF_TIPC)))
return -EINVAL;
+ if ((total_len > TIPC_MAX_USER_MSG_SIZE) ||
+ (m->msg_iovlen > (unsigned)INT_MAX))
+ return -EMSGSIZE;
if (iocb)
lock_sock(sk);
@@ -640,6 +643,10 @@
if (unlikely(dest))
return send_msg(iocb, sock, m, total_len);
+ if ((total_len > TIPC_MAX_USER_MSG_SIZE) ||
+ (m->msg_iovlen > (unsigned)INT_MAX))
+ return -EMSGSIZE;
+
if (iocb)
lock_sock(sk);
@@ -723,6 +730,12 @@
goto exit;
}
+ if ((total_len > (unsigned)INT_MAX) ||
+ (m->msg_iovlen > (unsigned)INT_MAX)) {
+ res = -EMSGSIZE;
+ goto exit;
+ }
+
/*
* Send each iovec entry using one or more messages
*