Date: Fri, 02 Dec 2016 14:03:34 -0500 (EST)
Message-Id: <20161202.140334.1963952105058981434.davem@davemloft.net>
To: mkubecek@suse.cz
Cc: jon.maloy@ericsson.com, ying.xue@windriver.com,
        tipc-discussion@lists.sourceforge.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, ben@decadent.org.uk, zhangqian-c@360.cn
Subject: Re: [PATCH net v3] tipc: check minimum bearer MTU
From: David Miller <davem@davemloft.net>
In-Reply-To: <20161202083341.BB955A0F33@unicorn.suse.cz>
References: <20161202083341.BB955A0F33@unicorn.suse.cz>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=utf-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Transfer-Encoding: 8bit
Content-Length: 943
Lines: 20

From: Michal Kubecek <mkubecek@suse.cz>
Date: Fri,  2 Dec 2016 09:33:41 +0100 (CET)

> Qian Zhang (张谦) reported a potential socket buffer overflow in
> tipc_msg_build() which is also known as CVE-2016-8632: due to
> insufficient checks, a buffer overflow can occur if MTU is too short for
> even tipc headers. As anyone can set device MTU in a user/net namespace,
> this issue can be abused by a regular user.
> 
> As agreed in the discussion on Ben Hutchings' original patch, we should
> check the MTU at the moment a bearer is attached rather than for each
> processed packet. We also need to repeat the check when bearer MTU is
> adjusted to new device MTU. UDP case also needs a check to avoid
> overflow when calculating bearer MTU.
> 
> Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>

Applied and queued up for -stable, thanks.