Re: [PATCH net v3] tipc: check minimum bearer MTU

From: Ying Xue
Date: Fri Dec 02 2016 - 07:09:19 EST

Next message: Dmitry Banschikov: "epoll_wait inaccurate timeout"
Previous message: Artem Savkov: "Re: [PATCH] ip6_offload: check segs for NULL in ipv6_gso_segment."
In reply to: Michal Kubecek: "[PATCH net v3] tipc: check minimum bearer MTU"
Next in thread: David Miller: "Re: [PATCH net v3] tipc: check minimum bearer MTU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/02/2016 04:33 PM, Michal Kubecek wrote:

Qian Zhang (åè) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.

As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.

Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@xxxxxxx>
Reported-by: Qian Zhang (åè) <zhangqian-c@xxxxxx>
---

Thanks, it looks nice to me.

Acked-by: Ying Xue <ying.xue@xxxxxxxxxxxxx>

Next message: Dmitry Banschikov: "epoll_wait inaccurate timeout"
Previous message: Artem Savkov: "Re: [PATCH] ip6_offload: check segs for NULL in ipv6_gso_segment."
In reply to: Michal Kubecek: "[PATCH net v3] tipc: check minimum bearer MTU"
Next in thread: David Miller: "Re: [PATCH net v3] tipc: check minimum bearer MTU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]