65d30f7545
commit 3de81b758853f0b29c61e246679d20b513c4cfec upstream.
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.
As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.
Fixes:
|
||
|---|---|---|
| .. | ||
| addr.c | ||
| addr.h | ||
| bcast.c | ||
| bcast.h | ||
| bearer.c | ||
| bearer.h | ||
| core.c | ||
| core.h | ||
| discover.c | ||
| discover.h | ||
| eth_media.c | ||
| ib_media.c | ||
| Kconfig | ||
| link.c | ||
| link.h | ||
| Makefile | ||
| msg.c | ||
| msg.h | ||
| name_distr.c | ||
| name_distr.h | ||
| name_table.c | ||
| name_table.h | ||
| net.c | ||
| net.h | ||
| netlink_compat.c | ||
| netlink.c | ||
| netlink.h | ||
| node.c | ||
| node.h | ||
| server.c | ||
| server.h | ||
| socket.c | ||
| socket.h | ||
| subscr.c | ||
| subscr.h | ||
| sysctl.c | ||
| udp_media.c | ||