Re: [PATCH net v3] tipc: check minimum bearer MTU

From: David Miller
Date: Fri Dec 02 2016 - 14:03:42 EST

Next message: Linus Torvalds: "Re: [PATCH v2 5/6] x86/xen: Add a Xen-specific sync_core() implementation"
Previous message: Aniroop Mathur: "Re: [PATCH] IIO: Change msleep to usleep_range for small msecs"
In reply to: Ying Xue: "Re: [PATCH net v3] tipc: check minimum bearer MTU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michal Kubecek <mkubecek@xxxxxxx>
Date: Fri, 2 Dec 2016 09:33:41 +0100 (CET)

> Qian Zhang (åè) reported a potential socket buffer overflow in
> tipc_msg_build() which is also known as CVE-2016-8632: due to
> insufficient checks, a buffer overflow can occur if MTU is too short for
> even tipc headers. As anyone can set device MTU in a user/net namespace,
> this issue can be abused by a regular user.
>
> As agreed in the discussion on Ben Hutchings' original patch, we should
> check the MTU at the moment a bearer is attached rather than for each
> processed packet. We also need to repeat the check when bearer MTU is
> adjusted to new device MTU. UDP case also needs a check to avoid
> overflow when calculating bearer MTU.
>
> Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
> Signed-off-by: Michal Kubecek <mkubecek@xxxxxxx>
> Reported-by: Qian Zhang (åè) <zhangqian-c@xxxxxx>

Applied and queued up for -stable, thanks.

Next message: Linus Torvalds: "Re: [PATCH v2 5/6] x86/xen: Add a Xen-specific sync_core() implementation"
Previous message: Aniroop Mathur: "Re: [PATCH] IIO: Change msleep to usleep_range for small msecs"
In reply to: Ying Xue: "Re: [PATCH net v3] tipc: check minimum bearer MTU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]