From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-176.mta1.migadu.com (out-176.mta1.migadu.com [95.215.58.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6837D3E3D90 for ; Fri, 10 Jul 2026 10:41:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783680100; cv=none; b=Myvo5/9hRci20AT+3ZO+Q/GYcmyKe9SOi8Ks9CgfjzL97YB4K0/jfwiCMzPM7PL/mrJuUyP09rdltiG2hTDiVDLBOeXUA7/QaaRkmL3R7c5J7LPK+WJutB9WFKs7jssf8vAIFZYHDNRJoEvJZsJJ9pWsb7n+AS6xxR6xRvVkMBw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783680100; c=relaxed/simple; bh=LfhlL2W6j2hA8eOrwNmMvbP+CJ2GYmxEkNjEaH7zcYM=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=BrXjx2NWU6wrj8NVLsDmxPtJcQjoL/RqqxLanVuWjc8d17mXrQa7VlZk4ebU43XwAwKNSBv4A4yDiIXXuJP69wxWh3mAZjVQPo6WeyoTa8I8LCJpI+he9SSGP1lImjBp9HKJhfSTXq5Y8dInCb7HhjMUbRGIwKrFRvOohAuwdcU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=aX6EezCr; arc=none smtp.client-ip=95.215.58.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="aX6EezCr" Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1783680092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WIen9J+HiKMTSP8zdU+4TxCJxWFnr4znTXA41zOFZ2E=; b=aX6EezCrvR9grtaeAQkf5pCPN5DQ4LTPoMDag5wukubszdwnMo3zbjNdVI0Xg4tl1f05H5 VI3xi4t1eR0h9Bv/UGZN7kKPs+mKRZTYp8Bz/wmryfNxH1/ANk2+HjgRd9M7GEWbhe1pZj sVrDDLQtke0mVRownXvenTIzlVUqjIU= Date: Fri, 10 Jul 2026 11:41:21 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH net v3] tipc: fix u16 MTU truncation in media and bearer MTU validation To: "Cen Zhang (Microsoft)" , jmaloy@redhat.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, tung.quang.nguyen@est.tech, AutonomousCodeSecurity@microsoft.com, tgopinath@linux.microsoft.com, kys@microsoft.com References: <20260708180212.2898-1-blbllhy@gmail.com> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Vadim Fedorenko In-Reply-To: <20260708180212.2898-1-blbllhy@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 08/07/2026 19:02, Cen Zhang (Microsoft) wrote: > Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied > MTU values but only enforce a minimum bound, not a maximum. When a user > sets the MTU to a value exceeding U16_MAX (65535), it passes validation > but is silently truncated when assigned to u16 fields l->mtu and > l->advertised_mtu in tipc_link_create(). Values like 65536 (0x10000) > truncate to 0, causing a division by zero in tipc_link_set_queue_limits() > which computes TIPC_MAX_PUBL / (l->mtu / ITEM_SIZE). Other overflowing > values (e.g. 65537-131071) produce small incorrect MTU values, resulting > in link malfunction behaviors. > > Crash stack (triggered as unprivileged user via user namespace): > > tipc_link_set_queue_limits net/tipc/link.c:2531 > tipc_link_create net/tipc/link.c:520 > tipc_node_check_dest net/tipc/node.c:1279 > tipc_disc_rcv net/tipc/discover.c:252 > tipc_rcv net/tipc/node.c:2129 > tipc_udp_recv net/tipc/udp_media.c:392 > > Two independent paths lack the upper bound check: > 1. tipc_udp_mtu_bad() -- called from __tipc_nl_media_set() (MEDIA_SET) > 2. inline check in __tipc_nl_bearer_set() at bearer.c:1160 (BEARER_SET) > > Fix both by rejecting MTU values above U16_MAX. > > Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU") > Reported-by: AutonomousCodeSecurity@microsoft.com > Closes: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com > Signed-off-by: Cen Zhang (Microsoft) > --- > v3: Use nla_policy check to limit MTU max value as suggested by Vadim > v2: Solved format issue > Link: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com > > net/tipc/netlink.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c > index 8336a9664703..1307dd1a9613 100644 > --- a/net/tipc/netlink.c > +++ b/net/tipc/netlink.c > @@ -113,12 +113,16 @@ const struct nla_policy tipc_nl_node_policy[TIPC_NLA_NODE_MAX + 1] = { > }; > > /* Properties valid for media, bearer and link */ > +static const struct netlink_range_validation tipc_nl_mtu_range = { > + .max = U16_MAX, > +}; > + > const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = { > [TIPC_NLA_PROP_UNSPEC] = { .type = NLA_UNSPEC }, > [TIPC_NLA_PROP_PRIO] = { .type = NLA_U32 }, > [TIPC_NLA_PROP_TOL] = { .type = NLA_U32 }, > [TIPC_NLA_PROP_WIN] = { .type = NLA_U32 }, > - [TIPC_NLA_PROP_MTU] = { .type = NLA_U32 }, > + [TIPC_NLA_PROP_MTU] = NLA_POLICY_FULL_RANGE(NLA_U32, &tipc_nl_mtu_range), > [TIPC_NLA_PROP_BROADCAST] = { .type = NLA_U32 }, > [TIPC_NLA_PROP_BROADCAST_RATIO] = { .type = NLA_U32 } > }; Reviewed-by: Vadim Fedorenko