Netdev List
 help / color / mirror / Atom feed
* [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation
@ 2026-07-09 21:16 Cen Zhang (Microsoft)
  2026-07-10 12:12 ` Vadim Fedorenko
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Cen Zhang (Microsoft) @ 2026-07-09 21:16 UTC (permalink / raw)
  To: jmaloy, davem, edumazet, kuba, pabeni, horms
  Cc: netdev, tipc-discussion, linux-kernel, vadim.fedorenko,
	tung.quang.nguyen, AutonomousCodeSecurity, tgopinath, kys,
	blbllhy

Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied
MTU values but only enforce a minimum bound, not a maximum. When a user
sets the MTU to a value exceeding U16_MAX (65535), it passes validation
but is silently truncated when assigned to u16 fields l->mtu and
l->advertised_mtu in tipc_link_create(). Values like 65536 (0x10000)
truncate to 0, causing a division by zero in tipc_link_set_queue_limits()
which computes TIPC_MAX_PUBL / (l->mtu / ITEM_SIZE). Other overflowing
values (e.g. 65537-131071) produce small incorrect MTU values, resulting
in link malfunction behaviors.

Crash stack (triggered as unprivileged user via user namespace):

  tipc_link_set_queue_limits  net/tipc/link.c:2531
  tipc_link_create            net/tipc/link.c:520
  tipc_node_check_dest        net/tipc/node.c:1279
  tipc_disc_rcv               net/tipc/discover.c:252
  tipc_rcv                    net/tipc/node.c:2129
  tipc_udp_recv               net/tipc/udp_media.c:392

Two independent paths lack the upper bound check:
1. tipc_udp_mtu_bad() -- called from __tipc_nl_media_set() (MEDIA_SET)
2. inline check in __tipc_nl_bearer_set() at bearer.c:1160 (BEARER_SET)

Fix both by rejecting MTU values above U16_MAX.

Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU")
Reported-by: AutonomousCodeSecurity@microsoft.com
Closes: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
Signed-off-by: Cen Zhang (Microsoft) <blbllhy@gmail.com>
---
v4: Add .min check value
v3: Use nla_policy check to limit MTU max value as suggested by Vadim
v2: Solved format issue
Link: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com

 net/tipc/netlink.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index 8336a9664703..811438c44542 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -113,12 +113,17 @@ const struct nla_policy tipc_nl_node_policy[TIPC_NLA_NODE_MAX + 1] = {
 };
 
 /* Properties valid for media, bearer and link */
+static const struct netlink_range_validation tipc_nl_mtu_range = {
+	.min = TIPC_MIN_BEARER_MTU,
+	.max = U16_MAX,
+};
+
 const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = {
 	[TIPC_NLA_PROP_UNSPEC]		= { .type = NLA_UNSPEC },
 	[TIPC_NLA_PROP_PRIO]		= { .type = NLA_U32 },
 	[TIPC_NLA_PROP_TOL]		= { .type = NLA_U32 },
 	[TIPC_NLA_PROP_WIN]		= { .type = NLA_U32 },
-	[TIPC_NLA_PROP_MTU]		= { .type = NLA_U32 },
+	[TIPC_NLA_PROP_MTU]		= NLA_POLICY_FULL_RANGE(NLA_U32, &tipc_nl_mtu_range),
 	[TIPC_NLA_PROP_BROADCAST]	= { .type = NLA_U32 },
 	[TIPC_NLA_PROP_BROADCAST_RATIO]	= { .type = NLA_U32 }
 };
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation
  2026-07-09 21:16 [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation Cen Zhang (Microsoft)
@ 2026-07-10 12:12 ` Vadim Fedorenko
  2026-07-10 12:57 ` Tung Quang Nguyen
  2026-07-10 16:34 ` Andrew Lunn
  2 siblings, 0 replies; 6+ messages in thread
From: Vadim Fedorenko @ 2026-07-10 12:12 UTC (permalink / raw)
  To: Cen Zhang (Microsoft), jmaloy, davem, edumazet, kuba, pabeni,
	horms
  Cc: netdev, tipc-discussion, linux-kernel, tung.quang.nguyen,
	AutonomousCodeSecurity, tgopinath, kys

On 09/07/2026 22:16, Cen Zhang (Microsoft) wrote:
> Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied
> MTU values but only enforce a minimum bound, not a maximum. When a user
> sets the MTU to a value exceeding U16_MAX (65535), it passes validation
> but is silently truncated when assigned to u16 fields l->mtu and
> l->advertised_mtu in tipc_link_create(). Values like 65536 (0x10000)
> truncate to 0, causing a division by zero in tipc_link_set_queue_limits()
> which computes TIPC_MAX_PUBL / (l->mtu / ITEM_SIZE). Other overflowing
> values (e.g. 65537-131071) produce small incorrect MTU values, resulting
> in link malfunction behaviors.
> 
> Crash stack (triggered as unprivileged user via user namespace):
> 
>    tipc_link_set_queue_limits  net/tipc/link.c:2531
>    tipc_link_create            net/tipc/link.c:520
>    tipc_node_check_dest        net/tipc/node.c:1279
>    tipc_disc_rcv               net/tipc/discover.c:252
>    tipc_rcv                    net/tipc/node.c:2129
>    tipc_udp_recv               net/tipc/udp_media.c:392
> 
> Two independent paths lack the upper bound check:
> 1. tipc_udp_mtu_bad() -- called from __tipc_nl_media_set() (MEDIA_SET)
> 2. inline check in __tipc_nl_bearer_set() at bearer.c:1160 (BEARER_SET)
> 
> Fix both by rejecting MTU values above U16_MAX.
> 
> Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU")
> Reported-by: AutonomousCodeSecurity@microsoft.com
> Closes: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
> Signed-off-by: Cen Zhang (Microsoft) <blbllhy@gmail.com>
> ---
> v4: Add .min check value
> v3: Use nla_policy check to limit MTU max value as suggested by Vadim
> v2: Solved format issue
> Link: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
> 
>   net/tipc/netlink.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
> index 8336a9664703..811438c44542 100644
> --- a/net/tipc/netlink.c
> +++ b/net/tipc/netlink.c
> @@ -113,12 +113,17 @@ const struct nla_policy tipc_nl_node_policy[TIPC_NLA_NODE_MAX + 1] = {
>   };
>   
>   /* Properties valid for media, bearer and link */
> +static const struct netlink_range_validation tipc_nl_mtu_range = {
> +	.min = TIPC_MIN_BEARER_MTU,
> +	.max = U16_MAX,
> +};
> +
>   const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = {
>   	[TIPC_NLA_PROP_UNSPEC]		= { .type = NLA_UNSPEC },
>   	[TIPC_NLA_PROP_PRIO]		= { .type = NLA_U32 },
>   	[TIPC_NLA_PROP_TOL]		= { .type = NLA_U32 },
>   	[TIPC_NLA_PROP_WIN]		= { .type = NLA_U32 },
> -	[TIPC_NLA_PROP_MTU]		= { .type = NLA_U32 },
> +	[TIPC_NLA_PROP_MTU]		= NLA_POLICY_FULL_RANGE(NLA_U32, &tipc_nl_mtu_range),
>   	[TIPC_NLA_PROP_BROADCAST]	= { .type = NLA_U32 },
>   	[TIPC_NLA_PROP_BROADCAST_RATIO]	= { .type = NLA_U32 }
>   };

Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation
  2026-07-09 21:16 [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation Cen Zhang (Microsoft)
  2026-07-10 12:12 ` Vadim Fedorenko
@ 2026-07-10 12:57 ` Tung Quang Nguyen
  2026-07-10 14:02   ` Vadim Fedorenko
  2026-07-10 16:34 ` Andrew Lunn
  2 siblings, 1 reply; 6+ messages in thread
From: Tung Quang Nguyen @ 2026-07-10 12:57 UTC (permalink / raw)
  To: Cen Zhang (Microsoft)
  Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org, vadim.fedorenko@linux.dev,
	AutonomousCodeSecurity@microsoft.com,
	tgopinath@linux.microsoft.com, kys@microsoft.com,
	jmaloy@redhat.com, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, pabeni@redhat.com, horms@kernel.org

>Subject: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU
>validation
>
>Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied
>MTU values but only enforce a minimum bound, not a maximum. When a user
>sets the MTU to a value exceeding U16_MAX (65535), it passes validation but is
>silently truncated when assigned to u16 fields l->mtu and
>l->advertised_mtu in tipc_link_create(). Values like 65536 (0x10000)
>truncate to 0, causing a division by zero in tipc_link_set_queue_limits() which
>computes TIPC_MAX_PUBL / (l->mtu / ITEM_SIZE). Other overflowing values
>(e.g. 65537-131071) produce small incorrect MTU values, resulting in link
>malfunction behaviors.

Yes, this is a bug. I can reproduce the same div-by-zero.

>
>Crash stack (triggered as unprivileged user via user namespace):
>
>  tipc_link_set_queue_limits  net/tipc/link.c:2531
>  tipc_link_create            net/tipc/link.c:520
>  tipc_node_check_dest        net/tipc/node.c:1279
>  tipc_disc_rcv               net/tipc/discover.c:252
>  tipc_rcv                    net/tipc/node.c:2129
>  tipc_udp_recv               net/tipc/udp_media.c:392
>
>Two independent paths lack the upper bound check:
>1. tipc_udp_mtu_bad() -- called from __tipc_nl_media_set() (MEDIA_SET) 2.
>inline check in __tipc_nl_bearer_set() at bearer.c:1160 (BEARER_SET)
>
>Fix both by rejecting MTU values above U16_MAX.
>
>Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU")
>Reported-by: AutonomousCodeSecurity@microsoft.com
>Closes: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-
>CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
>Signed-off-by: Cen Zhang (Microsoft) <blbllhy@gmail.com>
>---
>v4: Add .min check value
>v3: Use nla_policy check to limit MTU max value as suggested by Vadim
>v2: Solved format issue
>Link: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-
>CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
>
> net/tipc/netlink.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c index
>8336a9664703..811438c44542 100644
>--- a/net/tipc/netlink.c
>+++ b/net/tipc/netlink.c
>@@ -113,12 +113,17 @@ const struct nla_policy
>tipc_nl_node_policy[TIPC_NLA_NODE_MAX + 1] = {  };
>
> /* Properties valid for media, bearer and link */
>+static const struct netlink_range_validation tipc_nl_mtu_range = {
>+	.min = TIPC_MIN_BEARER_MTU,

Adding lower threshold checking introduces two issues:
1. Existing function tipc_udp_mtu_bad() can never return "true".
2. Breaking user-space applications looking for error message " Error: MTU value is out-of-range". Look at the error messages before and after your patch:
[Before patch]
node1 ~ # tipc bearer set mtu 15 media udp name UDP0
Error: MTU value is out-of-range.
kernel answers: Invalid argument

[After  patch]
node1 ~ # tipc bearer set mtu 15 media udp name UDP0
kernel answers: Numerical result out of range

>+	.max = U16_MAX,
>+};
>+
> const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = {
> 	[TIPC_NLA_PROP_UNSPEC]		= { .type = NLA_UNSPEC },
> 	[TIPC_NLA_PROP_PRIO]		= { .type = NLA_U32 },
> 	[TIPC_NLA_PROP_TOL]		= { .type = NLA_U32 },
> 	[TIPC_NLA_PROP_WIN]		= { .type = NLA_U32 },
>-	[TIPC_NLA_PROP_MTU]		= { .type = NLA_U32 },
>+	[TIPC_NLA_PROP_MTU]		=
>NLA_POLICY_FULL_RANGE(NLA_U32, &tipc_nl_mtu_range),
> 	[TIPC_NLA_PROP_BROADCAST]	= { .type = NLA_U32 },
> 	[TIPC_NLA_PROP_BROADCAST_RATIO]	= { .type = NLA_U32 }
> };
>--
>2.53.0


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation
  2026-07-10 12:57 ` Tung Quang Nguyen
@ 2026-07-10 14:02   ` Vadim Fedorenko
  2026-07-10 14:23     ` Tung Quang Nguyen
  0 siblings, 1 reply; 6+ messages in thread
From: Vadim Fedorenko @ 2026-07-10 14:02 UTC (permalink / raw)
  To: Tung Quang Nguyen, Cen Zhang (Microsoft)
  Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	AutonomousCodeSecurity@microsoft.com,
	tgopinath@linux.microsoft.com, kys@microsoft.com,
	jmaloy@redhat.com, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, pabeni@redhat.com, horms@kernel.org

On 10/07/2026 13:57, Tung Quang Nguyen wrote:
>> Subject: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU
>> validation
>>
>> Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied
>> MTU values but only enforce a minimum bound, not a maximum. When a user
>> sets the MTU to a value exceeding U16_MAX (65535), it passes validation but is
>> silently truncated when assigned to u16 fields l->mtu and
>> l->advertised_mtu in tipc_link_create(). Values like 65536 (0x10000)
>> truncate to 0, causing a division by zero in tipc_link_set_queue_limits() which
>> computes TIPC_MAX_PUBL / (l->mtu / ITEM_SIZE). Other overflowing values
>> (e.g. 65537-131071) produce small incorrect MTU values, resulting in link
>> malfunction behaviors.
> 
> Yes, this is a bug. I can reproduce the same div-by-zero.
> 
>>
>> Crash stack (triggered as unprivileged user via user namespace):
>>
>>   tipc_link_set_queue_limits  net/tipc/link.c:2531
>>   tipc_link_create            net/tipc/link.c:520
>>   tipc_node_check_dest        net/tipc/node.c:1279
>>   tipc_disc_rcv               net/tipc/discover.c:252
>>   tipc_rcv                    net/tipc/node.c:2129
>>   tipc_udp_recv               net/tipc/udp_media.c:392
>>
>> Two independent paths lack the upper bound check:
>> 1. tipc_udp_mtu_bad() -- called from __tipc_nl_media_set() (MEDIA_SET) 2.
>> inline check in __tipc_nl_bearer_set() at bearer.c:1160 (BEARER_SET)
>>
>> Fix both by rejecting MTU values above U16_MAX.
>>
>> Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU")
>> Reported-by: AutonomousCodeSecurity@microsoft.com
>> Closes: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-
>> CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
>> Signed-off-by: Cen Zhang (Microsoft) <blbllhy@gmail.com>
>> ---
>> v4: Add .min check value
>> v3: Use nla_policy check to limit MTU max value as suggested by Vadim
>> v2: Solved format issue
>> Link: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-
>> CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
>>
>> net/tipc/netlink.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c index
>> 8336a9664703..811438c44542 100644
>> --- a/net/tipc/netlink.c
>> +++ b/net/tipc/netlink.c
>> @@ -113,12 +113,17 @@ const struct nla_policy
>> tipc_nl_node_policy[TIPC_NLA_NODE_MAX + 1] = {  };
>>
>> /* Properties valid for media, bearer and link */
>> +static const struct netlink_range_validation tipc_nl_mtu_range = {
>> +	.min = TIPC_MIN_BEARER_MTU,
> 
> Adding lower threshold checking introduces two issues:
> 1. Existing function tipc_udp_mtu_bad() can never return "true".

it can. if MTU is in the range [TIPC_MIN_BEARER_MTU, TIPC_MIN_BEARER_MTU 
+ sizeof(iphdr) + sizeof(udphdr)]

> 2. Breaking user-space applications looking for error message " Error: MTU value is out-of-range". Look at the error messages before and after your patch:
> [Before patch]
> node1 ~ # tipc bearer set mtu 15 media udp name UDP0
> Error: MTU value is out-of-range.
> kernel answers: Invalid argument
> 
> [After  patch]
> node1 ~ # tipc bearer set mtu 15 media udp name UDP0
> kernel answers: Numerical result out of range

that's interesting, because this error message belongs to 9p scope...

anyways, we can keep v3 of this patch with .max value set only


> 
>> +	.max = U16_MAX,
>> +};
>> +
>> const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = {
>> 	[TIPC_NLA_PROP_UNSPEC]		= { .type = NLA_UNSPEC },
>> 	[TIPC_NLA_PROP_PRIO]		= { .type = NLA_U32 },
>> 	[TIPC_NLA_PROP_TOL]		= { .type = NLA_U32 },
>> 	[TIPC_NLA_PROP_WIN]		= { .type = NLA_U32 },
>> -	[TIPC_NLA_PROP_MTU]		= { .type = NLA_U32 },
>> +	[TIPC_NLA_PROP_MTU]		=
>> NLA_POLICY_FULL_RANGE(NLA_U32, &tipc_nl_mtu_range),
>> 	[TIPC_NLA_PROP_BROADCAST]	= { .type = NLA_U32 },
>> 	[TIPC_NLA_PROP_BROADCAST_RATIO]	= { .type = NLA_U32 }
>> };
>> --
>> 2.53.0
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation
  2026-07-10 14:02   ` Vadim Fedorenko
@ 2026-07-10 14:23     ` Tung Quang Nguyen
  0 siblings, 0 replies; 6+ messages in thread
From: Tung Quang Nguyen @ 2026-07-10 14:23 UTC (permalink / raw)
  To: Vadim Fedorenko
  Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	AutonomousCodeSecurity@microsoft.com,
	tgopinath@linux.microsoft.com, kys@microsoft.com,
	jmaloy@redhat.com, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
	Cen Zhang (Microsoft)

>Subject: Re: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer
>MTU validation
>
>On 10/07/2026 13:57, Tung Quang Nguyen wrote:
>>> Subject: [PATCH net v4] tipc: fix u16 MTU truncation in media and
>>> bearer MTU validation
>>>
>>> Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied
>>> MTU values but only enforce a minimum bound, not a maximum. When a
>>> user sets the MTU to a value exceeding U16_MAX (65535), it passes
>>> validation but is silently truncated when assigned to u16 fields
>>> l->mtu and
>>> l->advertised_mtu in tipc_link_create(). Values like 65536 (0x10000)
>>> truncate to 0, causing a division by zero in
>>> tipc_link_set_queue_limits() which computes TIPC_MAX_PUBL / (l->mtu /
>>> ITEM_SIZE). Other overflowing values (e.g. 65537-131071) produce
>>> small incorrect MTU values, resulting in link malfunction behaviors.
>>
>> Yes, this is a bug. I can reproduce the same div-by-zero.
>>
>>>
>>> Crash stack (triggered as unprivileged user via user namespace):
>>>
>>>   tipc_link_set_queue_limits  net/tipc/link.c:2531
>>>   tipc_link_create            net/tipc/link.c:520
>>>   tipc_node_check_dest        net/tipc/node.c:1279
>>>   tipc_disc_rcv               net/tipc/discover.c:252
>>>   tipc_rcv                    net/tipc/node.c:2129
>>>   tipc_udp_recv               net/tipc/udp_media.c:392
>>>
>>> Two independent paths lack the upper bound check:
>>> 1. tipc_udp_mtu_bad() -- called from __tipc_nl_media_set() (MEDIA_SET)
>2.
>>> inline check in __tipc_nl_bearer_set() at bearer.c:1160 (BEARER_SET)
>>>
>>> Fix both by rejecting MTU values above U16_MAX.
>>>
>>> Fixes: 901271e0403a ("tipc: implement configuration of UDP media
>>> MTU")
>>> Reported-by: AutonomousCodeSecurity@microsoft.com
>>> Closes: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-
>>> CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
>>> Signed-off-by: Cen Zhang (Microsoft) <blbllhy@gmail.com>
>>> ---
>>> v4: Add .min check value
>>> v3: Use nla_policy check to limit MTU max value as suggested by Vadim
>>> v2: Solved format issue
>>> Link: https://lore.kernel.org/all/CAB8m9WgETt0AjmFwE=F-
>>> CKjGXsK6_WDv0=kbYRcC8-noo+amnA@mail.gmail.com
>>>
>>> net/tipc/netlink.c | 7 ++++++-
>>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c index
>>> 8336a9664703..811438c44542 100644
>>> --- a/net/tipc/netlink.c
>>> +++ b/net/tipc/netlink.c
>>> @@ -113,12 +113,17 @@ const struct nla_policy
>>> tipc_nl_node_policy[TIPC_NLA_NODE_MAX + 1] = {  };
>>>
>>> /* Properties valid for media, bearer and link */
>>> +static const struct netlink_range_validation tipc_nl_mtu_range = {
>>> +	.min = TIPC_MIN_BEARER_MTU,
>>
>> Adding lower threshold checking introduces two issues:
>> 1. Existing function tipc_udp_mtu_bad() can never return "true".
>
>it can. if MTU is in the range [TIPC_MIN_BEARER_MTU,
>TIPC_MIN_BEARER_MTU
>+ sizeof(iphdr) + sizeof(udphdr)]

The context I was talking about is error path (mtu < min) as shown in examples. This makes adding .min check redundant.
                
>
>> 2. Breaking user-space applications looking for error message " Error: MTU
>value is out-of-range". Look at the error messages before and after your patch:
>> [Before patch]
>> node1 ~ # tipc bearer set mtu 15 media udp name UDP0
>> Error: MTU value is out-of-range.
>> kernel answers: Invalid argument
>>
>> [After  patch]
>> node1 ~ # tipc bearer set mtu 15 media udp name UDP0 kernel answers:
>> Numerical result out of range
>
>that's interesting, because this error message belongs to 9p scope...
>
>anyways, we can keep v3 of this patch with .max value set only
>
>
>>
>>> +	.max = U16_MAX,
>>> +};
>>> +
>>> const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = {
>>> 	[TIPC_NLA_PROP_UNSPEC]		= { .type = NLA_UNSPEC },
>>> 	[TIPC_NLA_PROP_PRIO]		= { .type = NLA_U32 },
>>> 	[TIPC_NLA_PROP_TOL]		= { .type = NLA_U32 },
>>> 	[TIPC_NLA_PROP_WIN]		= { .type = NLA_U32 },
>>> -	[TIPC_NLA_PROP_MTU]		= { .type = NLA_U32 },
>>> +	[TIPC_NLA_PROP_MTU]		=
>>> NLA_POLICY_FULL_RANGE(NLA_U32, &tipc_nl_mtu_range),
>>> 	[TIPC_NLA_PROP_BROADCAST]	= { .type = NLA_U32 },
>>> 	[TIPC_NLA_PROP_BROADCAST_RATIO]	= { .type = NLA_U32 }
>>> };
>>> --
>>> 2.53.0
>>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation
  2026-07-09 21:16 [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation Cen Zhang (Microsoft)
  2026-07-10 12:12 ` Vadim Fedorenko
  2026-07-10 12:57 ` Tung Quang Nguyen
@ 2026-07-10 16:34 ` Andrew Lunn
  2 siblings, 0 replies; 6+ messages in thread
From: Andrew Lunn @ 2026-07-10 16:34 UTC (permalink / raw)
  To: Cen Zhang (Microsoft)
  Cc: jmaloy, davem, edumazet, kuba, pabeni, horms, netdev,
	tipc-discussion, linux-kernel, vadim.fedorenko, tung.quang.nguyen,
	AutonomousCodeSecurity, tgopinath, kys

On Thu, Jul 09, 2026 at 05:16:49PM -0400, Cen Zhang (Microsoft) wrote:
> Both TIPC_NL_MEDIA_SET and TIPC_NL_BEARER_SET accept user-supplied
> MTU values but only enforce a minimum bound, not a maximum.

I don't know the tipc code at all..

Can this be piped through netif_set_mtu()? It will call
dev_validate_mtu() which will validate the MTU against dev->min_mtu
and dev->max_mtu.

    Andrew

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-07-10 16:35 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-09 21:16 [PATCH net v4] tipc: fix u16 MTU truncation in media and bearer MTU validation Cen Zhang (Microsoft)
2026-07-10 12:12 ` Vadim Fedorenko
2026-07-10 12:57 ` Tung Quang Nguyen
2026-07-10 14:02   ` Vadim Fedorenko
2026-07-10 14:23     ` Tung Quang Nguyen
2026-07-10 16:34 ` Andrew Lunn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox