linux/net/tipc
Michal Kubeček 3de81b7588 tipc: check minimum bearer MTU
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.

As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.

Fixes: b97bf3fd8f ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-12-02 14:03:20 -05:00
..
addr.c tipc: simplify include dependencies 2015-05-14 12:24:45 -04:00
addr.h tipc: introduce constants for tipc address validation 2016-07-26 14:26:42 -07:00
bcast.c tipc: fix broadcast link synchronization problem 2016-10-29 17:21:09 -04:00
bcast.h tipc: fix broadcast link synchronization problem 2016-10-29 17:21:09 -04:00
bearer.c tipc: check minimum bearer MTU 2016-12-02 14:03:20 -05:00
bearer.h tipc: check minimum bearer MTU 2016-12-02 14:03:20 -05:00
core.c tipc: add neighbor monitoring framework 2016-06-15 14:06:28 -07:00
core.h tipc: add neighbor monitoring framework 2016-06-15 14:06:28 -07:00
discover.c tipc: honor msg2addr return value 2016-06-29 05:17:37 -04:00
discover.h tipc: eliminate buffer leak in bearer layer 2016-04-07 17:00:13 -04:00
eth_media.c
ib_media.c
Kconfig
link.c tipc: fix link statistics counter errors 2016-11-27 20:35:55 -05:00
link.h tipc: transfer broadcast nacks in link state messages 2016-09-02 17:10:24 -07:00
Makefile tipc: add neighbor monitoring framework 2016-06-15 14:06:28 -07:00
monitor.c tipc: improve sanity check for received domain records 2016-11-25 20:06:18 -05:00
monitor.h tipc: dump monitor attributes 2016-07-26 14:26:42 -07:00
msg.c tipc: unclone unbundled buffers before forwarding 2016-06-22 16:33:35 -04:00
msg.h tipc: fix broadcast link synchronization problem 2016-10-29 17:21:09 -04:00
name_distr.c tipc: fix broadcast link synchronization problem 2016-10-29 17:21:09 -04:00
name_distr.h tipc: reduce code dependency between binding table and node layer 2015-11-20 14:06:10 -05:00
name_table.c tipc: move netlink policies to netlink.c 2016-03-07 14:56:41 -05:00
name_table.h
net.c tipc: move netlink policies to netlink.c 2016-03-07 14:56:41 -05:00
net.h tipc: add peer removal functionality 2016-08-18 23:36:07 -07:00
netlink_compat.c tipc: fix nl compat regression for link statistics 2016-07-01 16:47:38 -04:00
netlink.c tipc: add UDP remoteip dump to netlink API 2016-08-26 21:38:41 -07:00
netlink.h tipc: make cluster size threshold for monitoring configurable 2016-07-26 14:26:42 -07:00
node.c tipc: fix broadcast link synchronization problem 2016-10-29 17:21:09 -04:00
node.h tipc: transfer broadcast nacks in link state messages 2016-09-02 17:10:24 -07:00
server.c tipc: Use kmemdup instead of kmalloc and memcpy 2016-06-27 09:56:58 -04:00
server.h tipc: fix a race condition leading to subscriber refcnt bug 2016-04-14 16:46:46 -04:00
socket.c tipc: resolve connection flow control compatibility problem 2016-11-25 21:38:16 -05:00
socket.h tipc: redesign connection-level flow control 2016-05-03 15:51:16 -04:00
subscr.c tipc: remove an unnecessary NULL check 2016-04-28 16:54:12 -04:00
subscr.h tipc: remove struct tipc_name_seq from struct tipc_subscription 2016-02-06 03:40:43 -05:00
sysctl.c
udp_media.c tipc: check minimum bearer MTU 2016-12-02 14:03:20 -05:00
udp_media.h tipc: add UDP remoteip dump to netlink API 2016-08-26 21:38:41 -07:00