Qian Zhang (张谦) reported a potential socket buffer overflow in tipc_msg_build(). The minimum fragment length needs to be checked against the maximum packet size, which is based on the link MTU.
Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
This is untested, but I think it fixes the issue reported. Ideally
tipc_l2_device_event() would also disable use of TIPC on devices with
too small an MTU, like several other protocols do.
Ben.
net/tipc/msg.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 17201aa8423d..b9124ac82c29 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -274,6 +274,10 @@ int tipc_msg_build(struct tipc_msg *mhdr, struct msghdr *m,
goto error;
}
+ /* Check that fragment and message header will fit */
+ if (INT_H_SIZE + mhsz > pktmax)
+ return -EMSGSIZE;
+
/* Prepare reusable fragment header */
tipc_msg_init(msg_prevnode(mhdr), &pkthdr, MSG_FRAGMENTER,
FIRST_FRAGMENT, INT_H_SIZE, msg_destnode(mhdr));
signature.asc
Description: Digital signature
