Qian Zhang (张谦) reported a potential socket buffer overflow in tipc_msg_build(). The minimum fragment length needs to be checked against the maximum packet size, which is based on the link MTU.
Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn> Signed-off-by: Ben Hutchings <b...@decadent.org.uk> --- This is untested, but I think it fixes the issue reported. Ideally tipc_l2_device_event() would also disable use of TIPC on devices with too small an MTU, like several other protocols do. Ben. net/tipc/msg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/tipc/msg.c b/net/tipc/msg.c index 17201aa8423d..b9124ac82c29 100644 --- a/net/tipc/msg.c +++ b/net/tipc/msg.c @@ -274,6 +274,10 @@ int tipc_msg_build(struct tipc_msg *mhdr, struct msghdr *m, goto error; } + /* Check that fragment and message header will fit */ + if (INT_H_SIZE + mhsz > pktmax) + return -EMSGSIZE; + /* Prepare reusable fragment header */ tipc_msg_init(msg_prevnode(mhdr), &pkthdr, MSG_FRAGMENTER, FIRST_FRAGMENT, INT_H_SIZE, msg_destnode(mhdr));
signature.asc
Description: Digital signature