From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-179.mta1.migadu.com (out-179.mta1.migadu.com [95.215.58.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D73FA2DF12F for ; Fri, 10 Jul 2026 14:03:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783692198; cv=none; b=og5JpxF8xL0SO5rZtTzUGA4eAB6nGEVpWHUq+3AN7H2qALCdNgKJiH64+r5qoBfiPSUsFyVWlnXlKghzwPzFMIvcRkFhsNVbq56FhB9E5gVTRrAF/RRxJyhxWfLXg/hobQafWEsM3DJG9zDIWWPUOxc/sz3tYRVyFwEnc3bGnCo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783692198; c=relaxed/simple; bh=NMnp8am1BA6xzrrUXsYSHtwCeKFYEfEoZr5/9p8eS2Y=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=SjV/HsZsC/dVMryZ/w9wqz0iaxmUMGsda7FGKXvHp8fv1nPFu4EbGlgX0tMMiXS6VMp5oaqaMW0NfkF9cQFGrBhtATf7Ma3R6OMs1IEO/B2CstgEV0Fa6+az9/zCZPpNMK1blMXYYSn3DDK5NKUjGwQgNecQBzrzqHqJNn24jU4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=vNgU6bC7; arc=none smtp.client-ip=95.215.58.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="vNgU6bC7" Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1783692193; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SAV48k/TGulRNnoJ6bMcRlsY0qC959NRu+LCzm6VfGU=; b=vNgU6bC7d7cHwsrchD3CEuePnT26UK8tLc9gFh5By+UxHfT72+lNgxV803z8kQHaCwW82t lIa1PrSB908EZcUAB7kTMOQf5G9o450BkFPdjPAbtYs0Yzjg0ku/y6kMpOx3lQPbqtr/OJ h7DEyghtBuxdmr23dwAoEgkpe9VXMiM= Date: Fri, 10 Jul 2026 15:02:51 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation To: Tung Quang Nguyen , "Cen Zhang (Microsoft)" Cc: "netdev@vger.kernel.org" , "tipc-discussion@lists.sourceforge.net" , "linux-kernel@vger.kernel.org" , "AutonomousCodeSecurity@microsoft.com" , "tgopinath@linux.microsoft.com" , "kys@microsoft.com" , "jmaloy@redhat.com" , "davem@davemloft.net" , "edumazet@google.com" , "kuba@kernel.org" , "pabeni@redhat.com" , "horms@kernel.org" References: <20260709211649.15623-1-blbllhy@gmail.com> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Vadim Fedorenko In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 10/07/2026 13:57, Tung Quang Nguyen wrote: >> Subject: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU >> validation >> >> Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied >> MTU values but only enforce a minimum bound, not a maximum. When a user >> sets the MTU to a value exceeding U16_MAX (65535), it passes validation but is >> silently truncated when assigned to u16 fields l->mtu and >> l->advertised_mtu in tipc_link_create(). Values like 65536 (0x10000) >> truncate to 0, causing a division by zero in tipc_link_set_queue_limits() which >> computes TIPC_MAX_PUBL / (l->mtu / ITEM_SIZE). Other overflowing values >> (e.g. 65537-131071) produce small incorrect MTU values, resulting in link >> malfunction behaviors. > > Yes, this is a bug. I can reproduce the same div-by-zero. > >> >> Crash stack (triggered as unprivileged user via user namespace): >> >> tipc_link_set_queue_limits net/tipc/link.c:2531 >> tipc_link_create net/tipc/link.c:520 >> tipc_node_check_dest net/tipc/node.c:1279 >> tipc_disc_rcv net/tipc/discover.c:252 >> tipc_rcv net/tipc/node.c:2129 >> tipc_udp_recv net/tipc/udp_media.c:392 >> >> Two independent paths lack the upper bound check: >> 1. tipc_udp_mtu_bad() -- called from __tipc_nl_media_set() (MEDIA_SET) 2. >> inline check in __tipc_nl_bearer_set() at bearer.c:1160 (BEARER_SET) >> >> Fix both by rejecting MTU values above U16_MAX. >> >> Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU") >> Reported-by: AutonomousCodeSecurity@microsoft.com >> Closes: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F- >> CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com >> Signed-off-by: Cen Zhang (Microsoft) >> --- >> v4: Add .min check value >> v3: Use nla_policy check to limit MTU max value as suggested by Vadim >> v2: Solved format issue >> Link: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F- >> CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com >> >> net/tipc/netlink.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c index >> 8336a9664703..811438c44542 100644 >> --- a/net/tipc/netlink.c >> +++ b/net/tipc/netlink.c >> @@ -113,12 +113,17 @@ const struct nla_policy >> tipc_nl_node_policy[TIPC_NLA_NODE_MAX + 1] = { }; >> >> /* Properties valid for media, bearer and link */ >> +static const struct netlink_range_validation tipc_nl_mtu_range = { >> + .min = TIPC_MIN_BEARER_MTU, > > Adding lower threshold checking introduces two issues: > 1. Existing function tipc_udp_mtu_bad() can never return "true". it can. if MTU is in the range [TIPC_MIN_BEARER_MTU, TIPC_MIN_BEARER_MTU + sizeof(iphdr) + sizeof(udphdr)] > 2. Breaking user-space applications looking for error message " Error: MTU value is out-of-range". Look at the error messages before and after your patch: > [Before patch] > node1 ~ # tipc bearer set mtu 15 media udp name UDP0 > Error: MTU value is out-of-range. > kernel answers: Invalid argument > > [After patch] > node1 ~ # tipc bearer set mtu 15 media udp name UDP0 > kernel answers: Numerical result out of range that's interesting, because this error message belongs to 9p scope... anyways, we can keep v3 of this patch with .max value set only > >> + .max = U16_MAX, >> +}; >> + >> const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = { >> [TIPC_NLA_PROP_UNSPEC] = { .type = NLA_UNSPEC }, >> [TIPC_NLA_PROP_PRIO] = { .type = NLA_U32 }, >> [TIPC_NLA_PROP_TOL] = { .type = NLA_U32 }, >> [TIPC_NLA_PROP_WIN] = { .type = NLA_U32 }, >> - [TIPC_NLA_PROP_MTU] = { .type = NLA_U32 }, >> + [TIPC_NLA_PROP_MTU] = >> NLA_POLICY_FULL_RANGE(NLA_U32, &tipc_nl_mtu_range), >> [TIPC_NLA_PROP_BROADCAST] = { .type = NLA_U32 }, >> [TIPC_NLA_PROP_BROADCAST_RATIO] = { .type = NLA_U32 } >> }; >> -- >> 2.53.0 >