[PATCH 4.19 034/170] tipc: compare remote and local protocols in tipc_udp_enable()

From: Greg Kroah-Hartman
Date: Mon Jan 07 2019 - 08:20:30 EST

4.19-stable review patch. If anyone has any objections, please let me know.


From: Cong Wang <xiyou.wangcong@xxxxxxxxx>

[ Upstream commit fb83ed496b9a654f60cd1d58a0e1e79ec5694808 ]

When TIPC_NLA_UDP_REMOTE is an IPv6 mcast address but
TIPC_NLA_UDP_LOCAL is an IPv4 address, a NULL-ptr deref is triggered
as the UDP tunnel sock is initialized to IPv4 or IPv6 sock merely
based on the protocol in local address.

We should just error out when the remote address and local address
have different protocols.

Reported-by: syzbot+eb4da3a20fad2e52555d@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Ying Xue <ying.xue@xxxxxxxxxxxxx>
Cc: Jon Maloy <jon.maloy@xxxxxxxxxxxx>
Signed-off-by: Cong Wang <xiyou.wangcong@xxxxxxxxx>
Acked-by: Jon Maloy <jon.maloy@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
net/tipc/udp_media.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -680,6 +680,11 @@ static int tipc_udp_enable(struct net *n
if (err)
goto err;

+ if (remote.proto != local.proto) {
+ err = -EINVAL;
+ goto err;
+ }
/* Autoconfigure own node identity if needed */
if (!tipc_own_id(net)) {
memcpy(node_id, local.ipv6.in6_u.u6_addr8, 16);