diff options
| author | Michal Kubeček <mkubecek@suse.cz> | 2016-12-02 09:33:41 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2017-02-23 03:54:42 +0000 |
| commit | cd53924265a9d328af37722c6b682e4ea793d04e (patch) | |
| tree | 51eafd588c7b251f480a80d2544d85290f3add6b /include/linux/flex_array.h | |
| parent | e07d83a4c3854f0d13d761b51895fa8d1dc9c6a4 (diff) | |
tipc: check minimum bearer MTU
commit 3de81b758853f0b29c61e246679d20b513c4cfec upstream.
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.
As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Adjust context
- Duplicate macro definitions in bearer.h to avoid mutual inclusion
- NETDEV_DOWN and NETDEV_CHANGEMTU cases in net notifier were combined
- Drop changes in udp_media.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'include/linux/flex_array.h')
0 files changed, 0 insertions, 0 deletions