Before calling the nla_data function, make sure the argument is not null.
Fix potential null pointer dereference vulnerability for this.
Signed-off-by: Baozeng Ding <splovi...@gmail.com>
---
net/tipc/netlink_compat.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index f795b1d..efbba26 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -356,6 +356,9 @@ static int tipc_nl_compat_bearer_dump(struct
tipc_nl_compat_msg *msg,
if (err)
return err;
+ if (!bearer[TIPC_NLA_BEARER_NAME])
+ return -EINVAL;
+
return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME,
nla_data(bearer[TIPC_NLA_BEARER_NAME]),
nla_len(bearer[TIPC_NLA_BEARER_NAME]));
@@ -492,6 +495,9 @@ static int tipc_nl_compat_link_stat_dump(struct
tipc_nl_compat_msg *msg,
if (err)
return err;
+ if (!link[TIPC_NLA_LINK_NAME])
+ return -EINVAL;
+
name = (char *)TLV_DATA(msg->req);
if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
return 0;
@@ -602,6 +608,9 @@ static int tipc_nl_compat_link_dump(struct
tipc_nl_compat_msg *msg,
if (err)
return err;
+ if (!link[TIPC_NLA_LINK_NAME])
+ return -EINVAL;
+
link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
@@ -981,6 +990,9 @@ static int tipc_nl_compat_media_dump(struct
tipc_nl_compat_msg *msg,
if (err)
return err;
+ if (!media[TIPC_NLA_MEDIA_NAME])
+ return -EINVAL;
+
return tipc_add_tlv(msg->rep, TIPC_TLV_MEDIA_NAME,
nla_data(media[TIPC_NLA_MEDIA_NAME]),
nla_len(media[TIPC_NLA_MEDIA_NAME]));
--
1.9.1
