| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20161019021654.GD2773@decadent.org.uk>
Date: Wed, 19 Oct 2016 03:16:54 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: Jon Maloy <jon.maloy@...csson.com>,
Ying Xue <ying.xue@...driver.com>
Cc: netdev@...r.kernel.org, Qian Zhang <zhangqian-c@....cn>,
Eric Dumazet <edumazet@...gle.com>
Subject: [PATCH net] tipc: Guard against tiny MTU in tipc_msg_build()
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build(). The minimum fragment length needs to be checked
against the maximum packet size, which is based on the link MTU.
Reported-by: Qian Zhang (张谦) <zhangqian-c@....cn>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
This is untested, but I think it fixes the issue reported. Ideally
tipc_l2_device_event() would also disable use of TIPC on devices with
too small an MTU, like several other protocols do.
Ben.
net/tipc/msg.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 17201aa8423d..b9124ac82c29 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -274,6 +274,10 @@ int tipc_msg_build(struct tipc_msg *mhdr, struct msghdr *m,
goto error;
}
+ /* Check that fragment and message header will fit */
+ if (INT_H_SIZE + mhsz > pktmax)
+ return -EMSGSIZE;
+
/* Prepare reusable fragment header */
tipc_msg_init(msg_prevnode(mhdr), &pkthdr, MSG_FRAGMENTER,
FIRST_FRAGMENT, INT_H_SIZE, msg_destnode(mhdr));
Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)
Powered by blists - more mailing lists