Skip to content
Commit 3de81b75 authored by Michal Kubeček's avatar Michal Kubeček Committed by David S. Miller
Browse files

tipc: check minimum bearer MTU



Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.

As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.

Fixes: b97bf3fd ("[TIPC] Initial merge")
Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
Reported-by: default avatarQian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: default avatarYing Xue <ying.xue@windriver.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f0d21e89
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment