Update to 4.8.14
This commit is contained in:
parent
9382fc4d92
commit
14a852ee64
|
@ -1,4 +1,4 @@
|
|||
linux (4.8.13-1) UNRELEASED; urgency=medium
|
||||
linux (4.8.14-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.12
|
||||
|
@ -71,6 +71,52 @@ linux (4.8.13-1) UNRELEASED; urgency=medium
|
|||
IPI
|
||||
- [arm64] mm: Set PSTATE.PAN from the cpu_enable_pan() call
|
||||
- [arm64] suspend: Reconfigure PSTATE after resume from idle
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.14
|
||||
- gro_cells: mark napi struct as not busy poll candidates
|
||||
- virtio-net: add a missing synchronize_net()
|
||||
- [armhf] net: dsa: b53: Fix VLAN usage and how we treat CPU port
|
||||
- net: check dead netns for peernet2id_alloc()
|
||||
- ip6_tunnel: disable caching when the traffic class is inherited
|
||||
- net: sky2: Fix shutdown crash
|
||||
- af_unix: conditionally use freezable blocking calls in read
|
||||
- rtnetlink: fix FDB size computation
|
||||
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
|
||||
- rtnl: fix the loop index update error in rtnl_dump_ifinfo()
|
||||
- ipv6: bump genid when the IFA_F_TENTATIVE flag is clear
|
||||
- udplite: call proper backlog handlers
|
||||
- [armhf] net: dsa: bcm_sf2: Ensure we re-negotiate EEE during after link
|
||||
change
|
||||
- net, sched: respect rcu grace period on cls destruction
|
||||
- [armhf] net: dsa: fix unbalanced dsa_switch_tree reference counting
|
||||
- net/sched: pedit: make sure that offset is valid
|
||||
- netlink: Call cb->done from a worker thread
|
||||
- netlink: Do not schedule work from sk_destruct
|
||||
- net/dccp: fix use-after-free in dccp_invalid_packet
|
||||
- GSO: Reload iph after pskb_may_pull
|
||||
- packet: fix race condition in packet_set_ring (CVE-2016-8655)
|
||||
- ip6_offload: check segs for NULL in ipv6_gso_segment.
|
||||
- cdc_ether: Fix handling connection notification
|
||||
- tipc: check minimum bearer MTU (CVE-2016-8632)
|
||||
- geneve: avoid use-after-free of skb->data
|
||||
- net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793)
|
||||
- net: ping: check minimum size on ICMP header length (CVE-2016-8399)
|
||||
- ipv4: Restore fib_trie_flush_external function and fix call ordering
|
||||
- ipv4: Fix memory leak in exception case for splitting tries
|
||||
- ipv4: Drop leaf from suffix pull/push functions
|
||||
- ipv4: Drop suffix update from resize code
|
||||
- [sparc64] Fix find_node warning if numa node cannot be found
|
||||
- [sparc64] fix compile warning section mismatch in find_node()
|
||||
- [sparc] Fix inverted invalid_frame_pointer checks on sigreturns
|
||||
- constify iov_iter_count() and iter_is_iovec()
|
||||
- Don't feed anything but regular iovec's to blk_rq_map_user_iov
|
||||
(CVE-2016-9576)
|
||||
- ipv6: Set skb->protocol properly for local output
|
||||
- ipv4: Set skb->protocol properly for local output
|
||||
- Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in
|
||||
ip6_tnl_xmit()"
|
||||
- flowcache: Increase threshold for refusing new allocations
|
||||
- esp4: Fix integrity verification when ESN are used
|
||||
- esp6: Fix integrity verification when ESN are used
|
||||
|
||||
[ Uwe Kleine-König ]
|
||||
* [armhf] dts: armada-385: add support for Turris Omnia
|
||||
|
@ -80,13 +126,8 @@ linux (4.8.13-1) UNRELEASED; urgency=medium
|
|||
(Closes: #845611)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* tipc: check minimum bearer MTU (CVE-2016-8632)
|
||||
* packet: fix race condition in packet_set_ring (CVE-2016-8655)
|
||||
* net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793)
|
||||
* Add ABI reference for 4.8.0-2
|
||||
* Ignore ABI changes in KVM
|
||||
* net: ping: check minimum size on ICMP header length (CVE-2016-8399)
|
||||
* Don't feed anything but regular iovec's to blk_rq_map_user_iov (CVE-2016-9576)
|
||||
* net: handle no dst on skb in icmp6_send (CVE-2016-9919)
|
||||
* [rt] Update to 4.8.11-rt7
|
||||
|
||||
|
|
|
@ -1,41 +0,0 @@
|
|||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Tue, 6 Dec 2016 16:18:14 -0800
|
||||
Subject: Don't feed anything but regular iovec's to blk_rq_map_user_iov
|
||||
Origin: https://git.kernel.org/linus/a0ac402cfcdc904f9772e1762b3fda112dcc56a0
|
||||
|
||||
In theory we could map other things, but there's a reason that function
|
||||
is called "user_iov". Using anything else (like splice can do) just
|
||||
confuses it.
|
||||
|
||||
Reported-and-tested-by: Johannes Thumshirn <jthumshirn@suse.de>
|
||||
Cc: Al Viro <viro@ZenIV.linux.org.uk>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
block/blk-map.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/block/blk-map.c b/block/blk-map.c
|
||||
index b8657fa..27fd8d92 100644
|
||||
--- a/block/blk-map.c
|
||||
+++ b/block/blk-map.c
|
||||
@@ -118,6 +118,9 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
struct iov_iter i;
|
||||
int ret;
|
||||
|
||||
+ if (!iter_is_iovec(iter))
|
||||
+ goto fail;
|
||||
+
|
||||
if (map_data)
|
||||
copy = true;
|
||||
else if (iov_iter_alignment(iter) & align)
|
||||
@@ -140,6 +143,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
|
||||
unmap_rq:
|
||||
__blk_rq_unmap_user(bio);
|
||||
+fail:
|
||||
rq->bio = NULL;
|
||||
return -EINVAL;
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Fri, 2 Dec 2016 09:44:53 -0800
|
||||
Subject: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
|
||||
Origin: https://git.kernel.org/linus/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
|
||||
|
||||
CAP_NET_ADMIN users should not be allowed to set negative
|
||||
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
|
||||
corruptions, crashes, OOM...
|
||||
|
||||
Note that before commit 82981930125a ("net: cleanups in
|
||||
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
|
||||
and SO_RCVBUF were vulnerable.
|
||||
|
||||
This needs to be backported to all known linux kernels.
|
||||
|
||||
Again, many thanks to syzkaller team for discovering this gem.
|
||||
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/core/sock.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/core/sock.c b/net/core/sock.c
|
||||
index 5e3ca41..00a074d 100644
|
||||
--- a/net/core/sock.c
|
||||
+++ b/net/core/sock.c
|
||||
@@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
|
||||
val = min_t(u32, val, sysctl_wmem_max);
|
||||
set_sndbuf:
|
||||
sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
|
||||
- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
|
||||
+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
|
||||
/* Wake up sending tasks if we upped the value. */
|
||||
sk->sk_write_space(sk);
|
||||
break;
|
||||
@@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
|
||||
* returning the value we actually used in getsockopt
|
||||
* is the most desirable behavior.
|
||||
*/
|
||||
- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
|
||||
+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
|
||||
break;
|
||||
|
||||
case SO_RCVBUFFORCE:
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,71 +0,0 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Mon, 5 Dec 2016 10:34:38 -0800
|
||||
Subject: net: ping: check minimum size on ICMP header length
|
||||
Origin: https://git.kernel.org/linus/0eab121ef8750a5c8637d51534d5e9143fb0633f
|
||||
|
||||
Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
|
||||
was no check that the iovec contained enough bytes for an ICMP header,
|
||||
and the read loop would walk across neighboring stack contents. Since the
|
||||
iov_iter conversion, bad arguments are noticed, but the returned error is
|
||||
EFAULT. Returning EINVAL is a clearer error and also solves the problem
|
||||
prior to v3.19.
|
||||
|
||||
This was found using trinity with KASAN on v3.18:
|
||||
|
||||
BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
|
||||
Read of size 8 by task trinity-c2/9623
|
||||
page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
|
||||
flags: 0x0()
|
||||
page dumped because: kasan: bad access detected
|
||||
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
|
||||
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
|
||||
Call trace:
|
||||
[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
|
||||
[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
|
||||
[< inline >] __dump_stack lib/dump_stack.c:15
|
||||
[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
|
||||
[< inline >] print_address_description mm/kasan/report.c:147
|
||||
[< inline >] kasan_report_error mm/kasan/report.c:236
|
||||
[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
|
||||
[< inline >] check_memory_region mm/kasan/kasan.c:264
|
||||
[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
|
||||
[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
|
||||
[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
|
||||
[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
|
||||
[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
|
||||
[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
|
||||
[< inline >] __sock_sendmsg_nosec net/socket.c:624
|
||||
[< inline >] __sock_sendmsg net/socket.c:632
|
||||
[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
|
||||
[< inline >] SYSC_sendto net/socket.c:1797
|
||||
[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
|
||||
|
||||
CVE-2016-8399
|
||||
|
||||
Reported-by: Qidan He <i@flanker017.me>
|
||||
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/ping.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
|
||||
index 205e200..96b8e2b 100644
|
||||
--- a/net/ipv4/ping.c
|
||||
+++ b/net/ipv4/ping.c
|
||||
@@ -657,6 +657,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len,
|
||||
if (len > 0xFFFF)
|
||||
return -EMSGSIZE;
|
||||
|
||||
+ /* Must have at least a full ICMP header. */
|
||||
+ if (len < icmph_len)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/*
|
||||
* Check the flags.
|
||||
*/
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,92 +0,0 @@
|
|||
From: Philip Pettersson <philip.pettersson@gmail.com>
|
||||
Date: Wed, 30 Nov 2016 14:55:36 -0800
|
||||
Subject: packet: fix race condition in packet_set_ring
|
||||
Origin: https://git.kernel.org/linus/84ac7260236a49c79eede91617700174c2c19b0c
|
||||
|
||||
When packet_set_ring creates a ring buffer it will initialize a
|
||||
struct timer_list if the packet version is TPACKET_V3. This value
|
||||
can then be raced by a different thread calling setsockopt to
|
||||
set the version to TPACKET_V1 before packet_set_ring has finished.
|
||||
|
||||
This leads to a use-after-free on a function pointer in the
|
||||
struct timer_list when the socket is closed as the previously
|
||||
initialized timer will not be deleted.
|
||||
|
||||
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
|
||||
changing the packet version while also taking the lock at the start
|
||||
of packet_set_ring.
|
||||
|
||||
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
|
||||
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/packet/af_packet.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
|
||||
index d2238b2..dd23323 100644
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
|
||||
|
||||
if (optlen != sizeof(val))
|
||||
return -EINVAL;
|
||||
- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
|
||||
- return -EBUSY;
|
||||
if (copy_from_user(&val, optval, sizeof(val)))
|
||||
return -EFAULT;
|
||||
switch (val) {
|
||||
case TPACKET_V1:
|
||||
case TPACKET_V2:
|
||||
case TPACKET_V3:
|
||||
- po->tp_version = val;
|
||||
- return 0;
|
||||
+ break;
|
||||
default:
|
||||
return -EINVAL;
|
||||
}
|
||||
+ lock_sock(sk);
|
||||
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
|
||||
+ ret = -EBUSY;
|
||||
+ } else {
|
||||
+ po->tp_version = val;
|
||||
+ ret = 0;
|
||||
+ }
|
||||
+ release_sock(sk);
|
||||
+ return ret;
|
||||
}
|
||||
case PACKET_RESERVE:
|
||||
{
|
||||
@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
|
||||
/* Added to avoid minimal code churn */
|
||||
struct tpacket_req *req = &req_u->req;
|
||||
|
||||
+ lock_sock(sk);
|
||||
/* Opening a Tx-ring is NOT supported in TPACKET_V3 */
|
||||
if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
|
||||
net_warn_ratelimited("Tx-ring is not supported.\n");
|
||||
@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- lock_sock(sk);
|
||||
|
||||
/* Detach socket from network */
|
||||
spin_lock(&po->bind_lock);
|
||||
@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
|
||||
if (!tx_ring)
|
||||
prb_shutdown_retire_blk_timer(po, rb_queue);
|
||||
}
|
||||
- release_sock(sk);
|
||||
|
||||
if (pg_vec)
|
||||
free_pg_vec(pg_vec, order, req->tp_block_nr);
|
||||
out:
|
||||
+ release_sock(sk);
|
||||
return err;
|
||||
}
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,122 +0,0 @@
|
|||
From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz>
|
||||
Date: Fri, 2 Dec 2016 09:33:41 +0100
|
||||
Subject: tipc: check minimum bearer MTU
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/3de81b758853f0b29c61e246679d20b513c4cfec
|
||||
|
||||
Qian Zhang (张谦) reported a potential socket buffer overflow in
|
||||
tipc_msg_build() which is also known as CVE-2016-8632: due to
|
||||
insufficient checks, a buffer overflow can occur if MTU is too short for
|
||||
even tipc headers. As anyone can set device MTU in a user/net namespace,
|
||||
this issue can be abused by a regular user.
|
||||
|
||||
As agreed in the discussion on Ben Hutchings' original patch, we should
|
||||
check the MTU at the moment a bearer is attached rather than for each
|
||||
processed packet. We also need to repeat the check when bearer MTU is
|
||||
adjusted to new device MTU. UDP case also needs a check to avoid
|
||||
overflow when calculating bearer MTU.
|
||||
|
||||
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
|
||||
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
|
||||
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
|
||||
Acked-by: Ying Xue <ying.xue@windriver.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/tipc/bearer.c | 11 +++++++++--
|
||||
net/tipc/bearer.h | 13 +++++++++++++
|
||||
net/tipc/udp_media.c | 5 +++++
|
||||
3 files changed, 27 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
|
||||
index 975dbeb..52d7476 100644
|
||||
--- a/net/tipc/bearer.c
|
||||
+++ b/net/tipc/bearer.c
|
||||
@@ -421,6 +421,10 @@ int tipc_enable_l2_media(struct net *net, struct tipc_bearer *b,
|
||||
dev = dev_get_by_name(net, driver_name);
|
||||
if (!dev)
|
||||
return -ENODEV;
|
||||
+ if (tipc_mtu_bad(dev, 0)) {
|
||||
+ dev_put(dev);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
|
||||
/* Associate TIPC bearer with L2 bearer */
|
||||
rcu_assign_pointer(b->media_ptr, dev);
|
||||
@@ -610,8 +614,6 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
|
||||
if (!b)
|
||||
return NOTIFY_DONE;
|
||||
|
||||
- b->mtu = dev->mtu;
|
||||
-
|
||||
switch (evt) {
|
||||
case NETDEV_CHANGE:
|
||||
if (netif_carrier_ok(dev))
|
||||
@@ -624,6 +626,11 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
|
||||
tipc_reset_bearer(net, b);
|
||||
break;
|
||||
case NETDEV_CHANGEMTU:
|
||||
+ if (tipc_mtu_bad(dev, 0)) {
|
||||
+ bearer_disable(net, b);
|
||||
+ break;
|
||||
+ }
|
||||
+ b->mtu = dev->mtu;
|
||||
tipc_reset_bearer(net, b);
|
||||
break;
|
||||
case NETDEV_CHANGEADDR:
|
||||
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
|
||||
index 78892e2f..278ff7f 100644
|
||||
--- a/net/tipc/bearer.h
|
||||
+++ b/net/tipc/bearer.h
|
||||
@@ -39,6 +39,7 @@
|
||||
|
||||
#include "netlink.h"
|
||||
#include "core.h"
|
||||
+#include "msg.h"
|
||||
#include <net/genetlink.h>
|
||||
|
||||
#define MAX_MEDIA 3
|
||||
@@ -59,6 +60,9 @@
|
||||
#define TIPC_MEDIA_TYPE_IB 2
|
||||
#define TIPC_MEDIA_TYPE_UDP 3
|
||||
|
||||
+/* minimum bearer MTU */
|
||||
+#define TIPC_MIN_BEARER_MTU (MAX_H_SIZE + INT_H_SIZE)
|
||||
+
|
||||
/**
|
||||
* struct tipc_media_addr - destination address used by TIPC bearers
|
||||
* @value: address info (format defined by media)
|
||||
@@ -215,4 +219,13 @@ void tipc_bearer_xmit(struct net *net, u32 bearer_id,
|
||||
void tipc_bearer_bc_xmit(struct net *net, u32 bearer_id,
|
||||
struct sk_buff_head *xmitq);
|
||||
|
||||
+/* check if device MTU is too low for tipc headers */
|
||||
+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)
|
||||
+{
|
||||
+ if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)
|
||||
+ return false;
|
||||
+ netdev_warn(dev, "MTU too low for tipc bearer\n");
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
#endif /* _TIPC_BEARER_H */
|
||||
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
|
||||
index 78cab9c..b58dc95 100644
|
||||
--- a/net/tipc/udp_media.c
|
||||
+++ b/net/tipc/udp_media.c
|
||||
@@ -697,6 +697,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
|
||||
udp_conf.local_ip.s_addr = htonl(INADDR_ANY);
|
||||
udp_conf.use_udp_checksums = false;
|
||||
ub->ifindex = dev->ifindex;
|
||||
+ if (tipc_mtu_bad(dev, sizeof(struct iphdr) +
|
||||
+ sizeof(struct udphdr))) {
|
||||
+ err = -EINVAL;
|
||||
+ goto err;
|
||||
+ }
|
||||
b->mtu = dev->mtu - sizeof(struct iphdr)
|
||||
- sizeof(struct udphdr);
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -102,11 +102,6 @@ bugfix/all/fs-Give-dentry-to-inode_change_ok-instead-of-inode.patch
|
|||
bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
|
||||
bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
|
||||
bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch
|
||||
bugfix/all/tipc-check-minimum-bearer-MTU.patch
|
||||
bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
|
||||
bugfix/all/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
|
||||
bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch
|
||||
bugfix/all/Don-t-feed-anything-but-regular-iovec-s-to-blk_rq_ma.patch
|
||||
bugfix/all/net-handle-no-dst-on-skb-in-icmp6_send.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
|
Loading…
Reference in New Issue