diff options
| author | Michal Kubeček <[email protected]> | 2016-12-02 09:33:41 +0100 | 
|---|---|---|
| committer | David S. Miller <[email protected]> | 2016-12-02 14:03:20 -0500 | 
| commit | 3de81b758853f0b29c61e246679d20b513c4cfec (patch) | |
| tree | fe4107dc49e976bfeeacd6cae7b18ac8dd179851 /lib/mpi/mpi-inline.h | |
| parent | f0d21e894713b43a75bdf2d1b31e587bd5db5341 (diff) | |
tipc: check minimum bearer MTU
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.
As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <[email protected]>
Reported-by: Qian Zhang (张谦) <[email protected]>
Acked-by: Ying Xue <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'lib/mpi/mpi-inline.h')
0 files changed, 0 insertions, 0 deletions