tipc: Prevent access of non-existent field in short message header
authorAllan Stephens <allan.stephens@windriver.com>
Thu, 5 Jun 2008 00:36:58 +0000 (17:36 -0700)
committerDavid S. Miller <davem@davemloft.net>
Thu, 5 Jun 2008 00:36:58 +0000 (17:36 -0700)
This patch eliminates a case where TIPC's link code could try reading
a field that is not present in a short message header.  (The random
value obtained was not being used, but the read operation could result
in an invalid memory access exception in extremely rare circumstances.)

Signed-off-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tipc/link.c

index c62ebfea93043ee52e2d55ac9de24dbb6c77b547..022cb2f107ac26ce31f07a19adf895b586891bc2 100644 (file)
@@ -2674,10 +2674,12 @@ int tipc_link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
        u32 pack_sz = link_max_pkt(l_ptr);
        u32 fragm_sz = pack_sz - INT_H_SIZE;
        u32 fragm_no = 1;
-       u32 destaddr = msg_destnode(inmsg);
+       u32 destaddr;
 
        if (msg_short(inmsg))
                destaddr = l_ptr->addr;
+       else
+               destaddr = msg_destnode(inmsg);
 
        if (msg_routed(inmsg))
                msg_set_prevnode(inmsg, tipc_own_addr);