• M
    tipc: check minimum bearer MTU · 3de81b75
    Michal Kubeček 提交于
    Qian Zhang (张谦) reported a potential socket buffer overflow in
    tipc_msg_build() which is also known as CVE-2016-8632: due to
    insufficient checks, a buffer overflow can occur if MTU is too short for
    even tipc headers. As anyone can set device MTU in a user/net namespace,
    this issue can be abused by a regular user.
    
    As agreed in the discussion on Ben Hutchings' original patch, we should
    check the MTU at the moment a bearer is attached rather than for each
    processed packet. We also need to repeat the check when bearer MTU is
    adjusted to new device MTU. UDP case also needs a check to avoid
    overflow when calculating bearer MTU.
    
    Fixes: b97bf3fd ("[TIPC] Initial merge")
    Signed-off-by: NMichal Kubecek <mkubecek@suse.cz>
    Reported-by: NQian Zhang (张谦) <zhangqian-c@360.cn>
    Acked-by: NYing Xue <ying.xue@windriver.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    3de81b75
bearer.c 27.6 KB