• Michal Kubeček's avatar
    tipc: check minimum bearer MTU · 3de81b75
    Michal Kubeček authored
    Qian Zhang (张谦) reported a potential socket buffer overflow in
    tipc_msg_build() which is also known as CVE-2016-8632: due to
    insufficient checks, a buffer overflow can occur if MTU is too short for
    even tipc headers. As anyone can set device MTU in a user/net namespace,
    this issue can be abused by a regular user.
    
    As agreed in the discussion on Ben Hutchings' original patch, we should
    check the MTU at the moment a bearer is attached rather than for each
    processed packet. We also need to repeat the check when bearer MTU is
    adjusted to new device MTU. UDP case also needs a check to avoid
    overflow when calculating bearer MTU.
    
    Fixes: b97bf3fd ("[TIPC] Initial merge")
    Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
    Reported-by: default avatarQian Zhang (张谦) <zhangqian-c@360.cn>
    Acked-by: default avatarYing Xue <ying.xue@windriver.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    3de81b75
udp_media.c 19.7 KB