Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build().  The minimum fragment length needs to be checked
against the maximum packet size, which is based on the link MTU.

Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
This is untested, but I think it fixes the issue reported.  Ideally
tipc_l2_device_event() would also disable use of TIPC on devices with
too small an MTU, like several other protocols do.


 net/tipc/msg.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 17201aa8423d..b9124ac82c29 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -274,6 +274,10 @@ int tipc_msg_build(struct tipc_msg *mhdr, struct msghdr *m,
                goto error;
+       /* Check that fragment and message header will fit */
+       if (INT_H_SIZE + mhsz > pktmax)
+               return -EMSGSIZE;
        /* Prepare reusable fragment header */
        tipc_msg_init(msg_prevnode(mhdr), &pkthdr, MSG_FRAGMENTER,
                      FIRST_FRAGMENT, INT_H_SIZE, msg_destnode(mhdr));

Attachment: signature.asc
Description: Digital signature

Reply via email to