www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Michal Kubeček <mkubecek@suse.cz>
	Fri, 2 Dec 2016 08:33:41 +0000 (09:33 +0100)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Sun, 26 Feb 2017 03:31:06 +0000 (19:31 -0800)
commit	8a409bbe6b4483fd410ddb0ee54f7a66dbd1a8a7
tree	7f68ec1e7c509515d6450519f4cf28306fe4f621	tree
parent	2739857e58e8cc8e3affc317f0ca160a01f625e9	commit \| diff

tipc: check minimum bearer MTU

Orabug: 25063416
CVE: CVE-2016-8632

Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.

As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.

Conflicts:
net/tipc/bearer.c
net/tipc/bearer.h

Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 3de81b758853f0b29c61e246679d20b513c4cfec)
Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Reviewed-by: Ethan Zhao <ethan.zhao@oracle.com>

net/tipc/bearer.c		diff \| blob \| history
net/tipc/bearer.h		diff \| blob \| history
net/tipc/udp_media.c		diff \| blob \| history