Subject: Re: [PATCH net v3] tipc: check minimum bearer MTU
To: Michal Kubecek <mkubecek@suse.cz>, Jon Maloy <jon.maloy@ericsson.com>
References: <20161202083341.BB955A0F33@unicorn.suse.cz>
CC: "David S. Miller" <davem@davemloft.net>,
        <tipc-discussion@lists.sourceforge.net>, <netdev@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, Ben Hutchings <ben@decadent.org.uk>,
        Qian Zhang <zhangqian-c@360.cn>
From: Ying Xue <ying.xue@windriver.com>
Message-ID: <ba271624-f7aa-165e-950e-cf56b4c7621e@windriver.com>
Date: Fri, 2 Dec 2016 20:07:15 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <20161202083341.BB955A0F33@unicorn.suse.cz>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 939
Lines: 21

On 12/02/2016 04:33 PM, Michal Kubecek wrote:
> Qian Zhang (张谦) reported a potential socket buffer overflow in
> tipc_msg_build() which is also known as CVE-2016-8632: due to
> insufficient checks, a buffer overflow can occur if MTU is too short for
> even tipc headers. As anyone can set device MTU in a user/net namespace,
> this issue can be abused by a regular user.
>
> As agreed in the discussion on Ben Hutchings' original patch, we should
> check the MTU at the moment a bearer is attached rather than for each
> processed packet. We also need to repeat the check when bearer MTU is
> adjusted to new device MTU. UDP case also needs a check to avoid
> overflow when calculating bearer MTU.
>
> Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
> ---

Thanks, it looks nice to me.

Acked-by: Ying Xue <ying.xue@windriver.com>