From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-182.mta1.migadu.com (out-182.mta1.migadu.com [95.215.58.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBA44282F06 for ; Fri, 10 Jul 2026 12:12:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783685553; cv=none; b=AjmyyU1hxmtJNfidXLDv1WAjNaj4G17+6aSGYQU7YE32cPSNASnlnpcD6M6WCWBw1WXSJMHffmVikUfFd3fCc55KdUxRxZVVgVPvPqSdBg2IK3f6lTv4xmT1h6NISlgEae5z/3nrbuHqDtzT3Kif+IQR6ImnIlTJpsv+xhduifM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783685553; c=relaxed/simple; bh=kncPPJU7oSZrwqQQ6+MJyVMpyjDMZZKMch5+HSdqPOA=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=nTnYvgFUpawA+/zjgKCODRlRwu9imQ+bFKc6+QIVHBxJ4gMFeQLjjqG+U8K0z1LrOp7w9MK0fpCv7Lmk80vlRMsZywSR/paVt9CQKPmpIsJd2xyMyHmYqPxeBpsOH76BWPJgIFdj0LVrYqsxl/ePU06Oh33YexKpwSgFQF1JEjc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=mhAZDJUG; arc=none smtp.client-ip=95.215.58.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="mhAZDJUG" Message-ID: <50cb9ea4-2bbb-4cfd-a036-a57bcf3b49fc@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1783685548; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1FF7GVP6cib1+yqqgVU49xl+8QepM561jHpnXA6AG2A=; b=mhAZDJUGNH6BGKTdRuOasWPdBYy3JzF1+Xj8G3aS9Or8AldA6HWDYqHQSCynLH7ls89RrW TaIWF5RemXR+xViur/E34aThorcbSfzz1bHCYVckmFvbbIqh9SJ04WNkE4yBpugSv/Rdkb NxlKWZzktOVzXjhr7XS6YcuyLJdR/9Q= Date: Fri, 10 Jul 2026 13:12:05 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation To: "Cen Zhang (Microsoft)" , jmaloy@redhat.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, tung.quang.nguyen@est.tech, AutonomousCodeSecurity@microsoft.com, tgopinath@linux.microsoft.com, kys@microsoft.com References: <20260709211649.15623-1-blbllhy@gmail.com> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Vadim Fedorenko In-Reply-To: <20260709211649.15623-1-blbllhy@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 09/07/2026 22:16, Cen Zhang (Microsoft) wrote: > Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied > MTU values but only enforce a minimum bound, not a maximum. When a user > sets the MTU to a value exceeding U16_MAX (65535), it passes validation > but is silently truncated when assigned to u16 fields l->mtu and > l->advertised_mtu in tipc_link_create(). Values like 65536 (0x10000) > truncate to 0, causing a division by zero in tipc_link_set_queue_limits() > which computes TIPC_MAX_PUBL / (l->mtu / ITEM_SIZE). Other overflowing > values (e.g. 65537-131071) produce small incorrect MTU values, resulting > in link malfunction behaviors. > > Crash stack (triggered as unprivileged user via user namespace): > > tipc_link_set_queue_limits net/tipc/link.c:2531 > tipc_link_create net/tipc/link.c:520 > tipc_node_check_dest net/tipc/node.c:1279 > tipc_disc_rcv net/tipc/discover.c:252 > tipc_rcv net/tipc/node.c:2129 > tipc_udp_recv net/tipc/udp_media.c:392 > > Two independent paths lack the upper bound check: > 1. tipc_udp_mtu_bad() -- called from __tipc_nl_media_set() (MEDIA_SET) > 2. inline check in __tipc_nl_bearer_set() at bearer.c:1160 (BEARER_SET) > > Fix both by rejecting MTU values above U16_MAX. > > Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU") > Reported-by: AutonomousCodeSecurity@microsoft.com > Closes: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com > Signed-off-by: Cen Zhang (Microsoft) > --- > v4: Add .min check value > v3: Use nla_policy check to limit MTU max value as suggested by Vadim > v2: Solved format issue > Link: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com > > net/tipc/netlink.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c > index 8336a9664703..811438c44542 100644 > --- a/net/tipc/netlink.c > +++ b/net/tipc/netlink.c > @@ -113,12 +113,17 @@ const struct nla_policy tipc_nl_node_policy[TIPC_NLA_NODE_MAX + 1] = { > }; > > /* Properties valid for media, bearer and link */ > +static const struct netlink_range_validation tipc_nl_mtu_range = { > + .min = TIPC_MIN_BEARER_MTU, > + .max = U16_MAX, > +}; > + > const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = { > [TIPC_NLA_PROP_UNSPEC] = { .type = NLA_UNSPEC }, > [TIPC_NLA_PROP_PRIO] = { .type = NLA_U32 }, > [TIPC_NLA_PROP_TOL] = { .type = NLA_U32 }, > [TIPC_NLA_PROP_WIN] = { .type = NLA_U32 }, > - [TIPC_NLA_PROP_MTU] = { .type = NLA_U32 }, > + [TIPC_NLA_PROP_MTU] = NLA_POLICY_FULL_RANGE(NLA_U32, &tipc_nl_mtu_range), > [TIPC_NLA_PROP_BROADCAST] = { .type = NLA_U32 }, > [TIPC_NLA_PROP_BROADCAST_RATIO] = { .type = NLA_U32 } > }; Reviewed-by: Vadim Fedorenko