• Michal Kubeček's avatar
    tipc: check minimum bearer MTU · 29273d45
    Michal Kubeček authored
    commit 3de81b75 upstream.
    
    Qian Zhang (张谦) reported a potential socket buffer overflow in
    tipc_msg_build() which is also known as CVE-2016-8632: due to
    insufficient checks, a buffer overflow can occur if MTU is too short for
    even tipc headers. As anyone can set device MTU in a user/net namespace,
    this issue can be abused by a regular user.
    
    As agreed in the discussion on Ben Hutchings' original patch, we should
    check the MTU at the moment a bearer is attached rather than for each
    processed packet. We also need to repeat the check when bearer MTU is
    adjusted to new device MTU. UDP case also needs a check to avoid
    overflow when calculating bearer MTU.
    
    Fixes: b97bf3fd ("[TIPC] Initial merge")
    Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
    Reported-by: default avatarQian Zhang (张谦) <zhangqian-c@360.cn>
    Acked-by: default avatarYing Xue <ying.xue@windriver.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    [bwh: Backported to 3.2:
     - Adjust filename, context
     - Duplicate macro definitions in bearer.h to avoid mutual inclusion
     - NETDEV_CHANGEMTU and NETDEV_CHANGEADDR cases in net notifier were combined
     - Drop changes in udp_media.c]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    29273d45
eth_media.c 9.1 KB