diff options
author | Michal Kubeček <mkubecek@suse.cz> | 2016-12-02 09:33:41 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-12-02 14:03:20 -0500 |
commit | 3de81b758853f0b29c61e246679d20b513c4cfec (patch) | |
tree | fe4107dc49e976bfeeacd6cae7b18ac8dd179851 /net/tipc/udp_media.c | |
parent | f0d21e894713b43a75bdf2d1b31e587bd5db5341 (diff) | |
download | linux-3de81b758853f0b29c61e246679d20b513c4cfec.tar.bz2 |
tipc: check minimum bearer MTU
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.
As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc/udp_media.c')
-rw-r--r-- | net/tipc/udp_media.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c index 78cab9c5a445..b58dc95f3d35 100644 --- a/net/tipc/udp_media.c +++ b/net/tipc/udp_media.c @@ -697,6 +697,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, udp_conf.local_ip.s_addr = htonl(INADDR_ANY); udp_conf.use_udp_checksums = false; ub->ifindex = dev->ifindex; + if (tipc_mtu_bad(dev, sizeof(struct iphdr) + + sizeof(struct udphdr))) { + err = -EINVAL; + goto err; + } b->mtu = dev->mtu - sizeof(struct iphdr) - sizeof(struct udphdr); #if IS_ENABLED(CONFIG_IPV6) |