android_kernel_samsung_sm8650/net at 3de81b758853f0b29c61e246679d20b513c4cfec - android_kernel_samsung_sm8650 - Gitea: Git with a cup of tea

android/android_kernel_samsung_sm8650

History

Michal Kubeček 3de81b7588 tipc: check minimum bearer MTU

Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.

As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.

Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2016-12-02 14:03:20 -05:00

..

6lowpan: ndisc: no overreact if no short address is available

2016-09-19 20:19:34 +02:00

IB/core: add support to create a unsafe global rkey to ib_create_pd

2016-09-23 13:47:44 -04:00

…

net: add recursion limit to GRO

2016-10-20 14:32:22 -04:00

appletalk: use IS_ENABLED() instead of checking for built-in or module

2016-09-10 21:19:10 -07:00

lec: use IS_ENABLED() instead of checking for built-in or module

2016-09-10 21:19:10 -07:00

AX.25: Close socket connection on session completion

2016-06-18 20:55:34 -07:00

batman-adv: Detect missing primaryif during tp_send as error

2016-11-04 12:27:39 +01:00

Bluetooth: Fix using the correct source address type

2016-11-22 22:50:46 +01:00

bridge: multicast: restore perm router ports on multicast enable

2016-10-18 13:52:13 -04:00

caif: Remove unneeded header file

2016-06-28 05:26:14 -04:00

can: bcm: fix support for CAN FD frames

2016-11-23 15:22:18 +01:00

libceph: initialize last_linger_id with a large integer

2016-11-10 20:13:08 +01:00

net/rtnetlink: fix attribute name in nlmsg_size() comments

2016-12-02 10:34:59 -05:00

…

net/dccp: fix use-after-free in dccp_invalid_packet

2016-11-29 20:37:26 -05:00

net: fix decnet rtnexthop parsing

2016-07-05 14:08:47 -07:00

KEYS: Add a facility to restrict new links into a keyring

2016-04-11 22:37:37 +01:00

net: dsa: slave: fix fixed-link phydev leaks

2016-11-29 23:17:02 -05:00

net: add recursion limit to GRO

2016-10-20 14:32:22 -04:00

net/hsr: Remove unused but set variable

2016-10-18 10:28:18 -04:00

ieee802154: 6lowpan: fix intra pan id check

2016-07-08 13:23:12 +02:00

ipv4: Set skb->protocol properly for local output

2016-12-02 12:34:22 -05:00

ip6_offload: check segs for NULL in ipv6_gso_segment.

2016-12-02 13:34:58 -05:00

…

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2016-09-23 06:46:57 -04:00

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

2016-07-29 17:38:46 -07:00

Merge branch 'work.splice_read' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2016-10-07 15:36:58 -07:00

…

l2tp: fix address test in __l2tp_ip6_bind_lookup()

2016-11-30 14:14:08 -05:00

net: ipv6: Remove l3mdev_get_saddr6

2016-09-10 23:12:53 -07:00

net/lapb: tuse %*ph to dump buffers

2016-05-29 22:33:25 -07:00

llc: switch type to bool as the timeout is only tested versus 0

2016-09-17 10:05:05 -04:00

mac80211: fix A-MSDU aggregation with fast-xmit + txq

2016-11-15 14:37:30 +01:00

mac802154: use rate limited warnings for malformed frames

2016-09-19 20:19:34 +02:00

mpls: move mpls_hdr to a common location

2016-10-03 02:00:21 -04:00

net/ncsi: Improve HNCDSC AEN handler

2016-10-20 11:23:08 -04:00

netfilter: nft_range: add the missing NULL pointer check

2016-11-24 14:43:35 +01:00

netlabel: Implement CALIPSO config functions for SMACK.

2016-06-27 15:06:18 -04:00

netlink: Call cb->done from a worker thread

2016-11-29 19:48:38 -05:00

…

NFC: digital: Fix RTOX supervisor PDU handling

2016-07-11 02:02:03 +02:00

openvswitch: Fix skb leak in IPv6 reassembly.

2016-11-30 11:00:45 -05:00

packet: fix race condition in packet_set_ring

2016-12-02 12:16:49 -05:00

…

Merge tag 'qcom-soc-for-4.7-2' into net-next

2016-05-17 14:11:19 -04:00

RDS: TCP: unregister_netdevice_notifier() in error path of rds_tcp_init_net

2016-12-02 13:29:26 -05:00

rfkill: Use switch to demux userspace operations

2016-04-05 10:48:53 +02:00

rose: limit sk_filter trim to payload

2016-07-13 11:53:40 -07:00

rxrpc: Fix checking of error from ip6_route_output()

2016-10-13 08:43:17 +01:00

sched: cls_flower: remove from hashtable only in case skip sw flag is not set

2016-11-29 20:44:38 -05:00

sctp: change sk state only when it has assocs in sctp_shutdown

2016-11-14 16:22:33 -05:00

strparser: Propagate correct error code in strp_recv()

2016-10-12 01:51:49 -04:00

One fix for an NFS/RDMA crash.

2016-11-18 16:32:21 -08:00

switchdev: Execute bridge ndos only for bridge ports

2016-10-19 10:58:04 -04:00

tipc: check minimum bearer MTU

2016-12-02 14:03:20 -05:00

af_unix: conditionally use freezable blocking calls in read

2016-11-18 13:58:39 -05:00

VSOCK: Don't dec ack backlog twice for rejected connections

2016-09-27 07:59:25 -04:00

…

cfg80211: limit scan results cache size

2016-11-18 08:44:44 +01:00

net: x25: remove null checks on arrays calling_ae and called_ae

2016-09-09 18:13:30 -07:00

xfrm_user: fix return value from xfrm_user_rcv_msg

2016-11-30 10:58:53 +01:00

compat.c

packet: compat support for sock_fprog

2016-06-09 23:41:03 -07:00

Kconfig

strparser: Stream parser for messages

2016-08-17 19:36:23 -04:00

Makefile

strparser: Stream parser for messages

2016-08-17 19:36:23 -04:00

socket.c

xattr: Fix setting security xattrs on sockfs

2016-11-17 00:00:23 -05:00

sysctl_net.c

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

2016-10-06 09:52:23 -07:00