Re: [PATCH net] tipc: check minimum bearer MTU

From: Ben Hutchings
Date: Wed Nov 30 2016 - 19:05:29 EST


On Wed, 2016-11-30 at 11:24 +0100, Michal Kubecek wrote:
> On Wed, Nov 30, 2016 at 10:57:02AM +0100, Michal Kubecek wrote:
> > Qian Zhang (åè) reported a potential socket buffer overflow in
> > tipc_msg_build() which is also known as CVE-2016-8632: due to
> > insufficient checks, a buffer overflow can occur if MTU is too short for
> > even tipc headers. As anyone can set device MTU in a user/net namespace,
> > this issue can be abused by a regular user.
> >
> > As agreed in the discussion on Ben Hutchings' original patch, we should
> > check the MTU at the moment a bearer is attached rather than for each
> > processed packet. We also need to repeat the check when bearer MTU is
> > adjusted to new device MTU. UDP case also needs a check to avoid
> > overflow when calculating bearer MTU.
> >
> > Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
> > Signed-off-by: Michal Kubecek <mkubecek@xxxxxxx>
> > Reported-by: Qian Zhang (åè) <zhangqian-c@xxxxxx>
>
> Self-NACK.
>
> Im sorry, while testing this, I overlooked that an attempt to change
> MTU of an underlying device to low value issues a warning but it
> succeeds anyway.
[...]

I'm not sure that TIPC should block the MTU change, anyway. ÂFor IPv4
and IPv6 we disable the protocol on a device if its MTU is reduced
below the minimum. I think TIPC should behave the same way.

Ben.

--
Ben Hutchings
Never attribute to conspiracy what can adequately be explained by
stupidity.

Attachment: signature.asc
Description: This is a digitally signed message part