From nobody Mon Jun  8 04:15:17 2026
Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com
 [209.85.222.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E0B43E7BB5
	for <linux-kernel@vger.kernel.org>; Tue,  2 Jun 2026 13:36:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780407376; cv=none;
 b=rW0cjusUV7iukBRi84tIJ53udo2USsjZ6TEpv4u1HdwKOt7MJbD3XSMPeGaYoh3cBqGMdM1XTa5yLcQrB61EhZjXo09bHtZFz3VOLv1XG+Vu3DxqYyTr5AMVFI3L45OO6dRlfgxB6LOhcAc5FlqVhg8kdu+VDmEWQLThf9T0KZU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780407376; c=relaxed/simple;
	bh=SOLS464sCwsXb68FsuH5c593Tm26C1l/iV/hYt7J9QA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=lycRUHsnxmW5h5sDlob+R/HDsxdvVdrPEFh0/wo3awLV8LWMcUzKajlkh1wd+ZL9l5IMrIUA+RYfnI9pUWM8L3TA5BsNZu42bLnQ7NWnZ4vyFGscIUcNDl1qXICNXW3CD4fkZszWo6V+Ie5atnBtO0JYHScp6D6kioxf4uLU+k0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=d7NlhSDo; arc=none smtp.client-ip=209.85.222.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="d7NlhSDo"
Received: by mail-qk1-f174.google.com with SMTP id
 af79cd13be357-9157b895c57so55206385a.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 02 Jun 2026 06:36:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780407371; x=1781012171;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ILH0OeVmQKxRCdX8NaniLAKrB5+vOEdfNb+IKt6Bl+4=;
        b=d7NlhSDolCE6yiIhwR99pkdmFT4MCbhsmexwSqDzsRIV+UyBD41QlOUcV7zUGz96pe
         fGgwFErgzkOayrO9j7HfOqllvhs0tDyCO155j8klujjnleiZ03w/VXLX25vxZZCX/aY4
         7eBE2QPT2SreD2suke0fIjp5O2KiFnpAEqbfrVTiD2lZtMEPB2lRb3Rrqkp8O0UR5cpw
         2jpCb0S2R6CkMarqppGDY6qOYFreEYi6CZwZPQ2XyPkdrZy3EIwBb4McESvt+GlmEUQ5
         SBR3EBvfvPrhD8rZ1tNCBEXEnXe7ArJN8/BD7oQWiN/8eG/rNUQyOOUH5pyP26Pf0jDZ
         v7mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780407371; x=1781012171;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=ILH0OeVmQKxRCdX8NaniLAKrB5+vOEdfNb+IKt6Bl+4=;
        b=lr6j44cAGdBYV3Nt+p0cicwLuFwzW0WyVXutTv6NO6ZTMok5+Ood280J+kfZC3p6vi
         PKx2xtxHfYcxhdlvHAFq058gMiPAJrN9xRZQj+yCIWYEREb681OGnvN3GKQoCjXAWawQ
         doHcfEr/M6Sm2dGsgGNvMfmlsvM7Ht+FOY2t06ubXC/odpD8SWDXMA08YMxqvlUG1e9V
         15D12QW4GfxUZ6ye+4Dkx+qA4V21EdkAuyUnw9G3A/5nm7tMbG1XDADCRnr98ilmEBLx
         3LenoBoIBhyyot1mLHhA+rRgRbvfnow/r4J0dELvyKueryz2AKvNR/+pN1qKkwyR/4HR
         K8/A==
X-Forwarded-Encrypted: i=1;
 AFNElJ/8Khp3k9MTSC272B5GiPw3lx5weazZcDOQzE0tiBhVh+xFkA7Y/RjrMTB/BTwWHglwlfk6rChugAS8KLA=@vger.kernel.org
X-Gm-Message-State: AOJu0YwhVHHuJMx6/j+60q/db0UTZ6XrmglzWRNZSnE+hRpjB8PVo58F
	cx93+PKqfCjwIfAHVd0Km19iwh3a+QeMGjnI/A7nF0F7D2dobZWJ1wJF
X-Gm-Gg: Acq92OEUGNNB+OUHHq1Yp1/OcMPDP2BeHLzChoFOz4WVKw9RvvuRS1DA45Wl2qIpeFt
	nC2HzTMKWcmfGzB3PivUaMRJ0CsUv2/r9vw73sRcbOkQapj0AblW5NVwG5DsJvLxbatWTzmS72s
	QzkN/2hrwEIzXQR93OohgArqguhhoUSfF081xBHynZL3b1WwjcncSLx87bqadUvJgMFTMx1sutl
	FNBL/qv3Lcmevg6TxiTHYe4+FmYshveKZigyRaotjEU8kAJjDv1LFsxYFFlSbDRp4jDNMeSVSip
	EBrjE2E6HnSpuR2zFqfSIPSIvFqS6nSdmOiWZ5tmePZ/dyAgYCQAOPZJdIpaDZzZC3OQrZ+D5G+
	lls9aOsCaEqPnDWjYCRcgKbaue/zOqr56Qc7mcN0SK0XFKuv+Rf2cEbkLT68SSptVKMZKcjwAia
	pKCbM5hnwTeAlvLBNgjX0XMmUnt+ei36n6v2+IX/StRXoDxkZdBoknZ+25UWhcLErNkQD6HfItq
	PHnOOwJ69gHFSHFBGt6OrBAP6+b4HU=
X-Received: by 2002:a05:620a:284a:b0:915:673a:617b with SMTP id
 af79cd13be357-915673a62c9mr1075320485a.24.1780407370960;
        Tue, 02 Jun 2026 06:36:10 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-915721f7d75sm346036285a.18.2026.06.02.06.36.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jun 2026 06:36:10 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Jon Maloy <jmaloy@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
	Ying Xue <ying.xue@windriver.com>,
	netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org
Subject: [PATCH net 1/4] tipc: require net admin for TIPCv2 netlink mutators
Date: Tue,  2 Jun 2026 09:35:52 -0400
Message-ID: <20260602133555.769727-2-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260602133555.769727-1-michael.bommarito@gmail.com>
References: <20260602133555.769727-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

TIPCv2 registers mutating generic-netlink operations without admin
permission flags. Generic netlink only checks CAP_NET_ADMIN when an
operation sets GENL_ADMIN_PERM or GENL_UNS_ADMIN_PERM, so a local
unprivileged process can currently change TIPC state through commands
such as TIPC_NL_NET_SET, TIPC_NL_KEY_SET, TIPC_NL_KEY_FLUSH, and
bearer enable/disable.

The legacy TIPC netlink API already checks netlink_net_capable(...,
CAP_NET_ADMIN) for administrative commands. Give the TIPCv2 mutators
the equivalent network-namespace-aware generic-netlink gate by setting
GENL_UNS_ADMIN_PERM.

A QEMU/KASAN repro run as uid/gid 65534 with zero effective
capabilities previously succeeded in changing the network id and node
identity, setting and flushing key material, and enabling/disabling a
UDP bearer. With this patch applied the same operations fail with
-EPERM.

Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api")
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 net/tipc/netlink.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index 1a9a5bdaccf4f..8336a9664703f 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -152,11 +152,13 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_BEARER_DISABLE,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_bearer_disable,
 	},
 	{
 		.cmd	=3D TIPC_NL_BEARER_ENABLE,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_bearer_enable,
 	},
 	{
@@ -168,11 +170,13 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_BEARER_ADD,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_bearer_add,
 	},
 	{
 		.cmd	=3D TIPC_NL_BEARER_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_bearer_set,
 	},
 	{
@@ -197,11 +201,13 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_LINK_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_node_set_link,
 	},
 	{
 		.cmd	=3D TIPC_NL_LINK_RESET_STATS,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit   =3D tipc_nl_node_reset_link_stats,
 	},
 	{
@@ -213,6 +219,7 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_MEDIA_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_media_set,
 	},
 	{
@@ -228,6 +235,7 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_NET_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_net_set,
 	},
 	{
@@ -238,6 +246,7 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_MON_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_node_set_monitor,
 	},
 	{
@@ -255,6 +264,7 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_PEER_REMOVE,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_peer_rm,
 	},
 #ifdef CONFIG_TIPC_MEDIA_UDP
@@ -269,11 +279,13 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_KEY_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_node_set_key,
 	},
 	{
 		.cmd	=3D TIPC_NL_KEY_FLUSH,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_node_flush_key,
 	},
 #endif
--=20
2.53.0
From nobody Mon Jun  8 04:15:17 2026
Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com
 [209.85.222.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95C5F3E1717
	for <linux-kernel@vger.kernel.org>; Tue,  2 Jun 2026 13:36:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780407378; cv=none;
 b=LqgovW45iAGsLuZV4c51KtiPjlV9vZkyO7vkGUDKWBlQHkxFEQVDMgVI9neWER7iqlLTZ629oocWP3aArE72UqisqyXRbGlHSQVnvpbNxTr19pgq/fxdS9I5K/5QF5pFKRWb7TkAm2Ie0wjuPNCM0xOAlGn2NtpzM6Lz/7or9TQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780407378; c=relaxed/simple;
	bh=7Lj0FqVDmeiNPWCn3u/fKwFl3wYP02Jhmq4tu2IuAwU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=P/DMn/Ugz7HorGEAGBcDq+UGvDr3KfFfQiQuh55abmID2dBz+A28FfWD07MGH0fMPjVAR0jh0aZ8wt9CdIONUTgu6Sdpg8LRwb1tx88RsvBfiM23mcuwFaPUh6gfTSVF3QUwgQdmJ9TmkKtr81gan+tvZOPVMlc78M7h7/wqi+M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=jYNmjA1z; arc=none smtp.client-ip=209.85.222.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="jYNmjA1z"
Received: by mail-qk1-f181.google.com with SMTP id
 af79cd13be357-915671abd29so186893685a.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 02 Jun 2026 06:36:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780407372; x=1781012172;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vnT0GMlKGTyqTQGZDUa8kd6IyJCEjxPnkabKrmHLnAA=;
        b=jYNmjA1zDkh2NmlTK4dNah/TJZGUVPPCNVwZ3oWTVxTXPFJsUitP6RhiSQFbI+MYIq
         XrUI5zc01dqSEkMRx5JpFXIKsPyLTW45DfQ4wXUK8bTKPLvONyR/2jUzjRDeDYoYKbxi
         eRwdi4dQm82d4KKZSHcatfq2+yKuiqCdo22SHGMTfBRmfddwQdtHkJwC++t3YI3fgLm0
         db28SbKaWYsfCUr2/zPmLvpwwl5KkZFQgpTe72+O4nQstA68uL6rrbKZRLXVRzh9ekm9
         lhqejdwD8rg/dRZp08PTBkKp/a92QIYggQliGnSis3wuByRf8EOBx5zLj8OaibGWjq/i
         GA7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780407372; x=1781012172;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=vnT0GMlKGTyqTQGZDUa8kd6IyJCEjxPnkabKrmHLnAA=;
        b=BUzs+/NPPlcksp6MaXN2CS4t0BmsMLADOLi5EGtXfx0TlMbscPBGZdwdTsgzkD492+
         oKqpZvEY1obji2hbP0kzKr54ae1Vrgtjw6QSrzZSjni8m940KhPMDlMW77p2HnKcuwrj
         YW3q0sU5mBWskYSZpN73p8/n+Miep7YQCzLAi6wviJc1Wj0fCeWMdfqkPsyHOq6MZ7Vw
         3f1K9AD+L43cVz0+TNPEwhvJ6Hme13bzO7nH2EgmNxgPBd4KE2dtr+Va+Fi/KXrf6zWr
         RiW3cBfOwxBOzT6ZeMYq200nrhEfUKS/vmeldV/JggQSLSSF9/10Kq+3mZ0YhO5MhNvY
         k60g==
X-Forwarded-Encrypted: i=1;
 AFNElJ86oojlTTr6jBOAJpOEJow3itouSKKwZtVPpXxmXoHufO1HnfSaTccGVhDIs72Ys3xd/uy3HBtCMJL8pkA=@vger.kernel.org
X-Gm-Message-State: AOJu0YyW1kjfL6i9BX0vw9fEwf4n1S0vLvoQrUNd5NhtFnIc/Z9i/zxz
	ABD97QZRKqKFz4rEb3YOd789wqBI1z1E9QEq/FfxIz4Amle++HxVTO9i2TIVOSqR
X-Gm-Gg: Acq92OFjAFBoEEt3Ij4hyFucm3gol5yi/Z22Vd5AjOq5xzYTeIKLjwtJdrjK6jo6uQk
	BkHsgeqhpI4C83/TP5uqCZBCtoLPD0PjihFd2a1u42p9QHo2wEyTuHL9M2c5hYb9SiXqf4kULUL
	khTYG/S3aaPTU2zgZFllyOlFopAhG7RtzvAKtpD/D9qDhcl+oPWfVrUPyX0tzv/DMFEUqHWEZ+d
	UPV+AWPk5ezgtdwqwKjK0EvokkcFXtTYsHh7k5uqCO5DzBe8z7d6ny1J+OxQTIS/Fa9hvU76dUx
	ax8cwWFndTD45JBo+P+ZK19lZVCWXgyRGmPj8VHSOh8g01sw4LfsINY/MoQO2di1EFrK/GdYfNg
	tvA4m1avsqe5v33EQdtsS2DfuKDryYt0EPPtfaT+PoHayJwwDLj5aNuA2+BC3IUv4o7dlffMkC3
	nwdZWIIr7Og/K584UKpN/rEjBrK8m5dEy4UyBVGS7B387ie8m0WyhDPIT9XRHfvLRixh1bV25AD
	EwXzv1Edr5wjyBJQwCJZeVEDMyKio8=
X-Received: by 2002:a05:620a:3909:b0:8cd:a3ab:352d with SMTP id
 af79cd13be357-9153dbabb50mr2601322585a.61.1780407372227;
        Tue, 02 Jun 2026 06:36:12 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-915721f7d75sm346036285a.18.2026.06.02.06.36.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jun 2026 06:36:11 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Jon Maloy <jmaloy@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
	Ying Xue <ying.xue@windriver.com>,
	netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org
Subject: [PATCH net 2/4] tipc: validate discovery message length before
 reading media address
Date: Tue,  2 Jun 2026 09:35:53 -0400
Message-ID: <20260602133555.769727-3-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260602133555.769727-1-michael.bommarito@gmail.com>
References: <20260602133555.769727-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tipc_disc_rcv() reads the sender's media address from the fixed
media-info area of the header (msg_media_addr(), offset
TIPC_MEDIA_INFO_OFFSET) and, when the peer advertises 128-bit node
ids, copies a NODE_ID_LEN node id appended after the header. Neither
read is bounded against the actual received length: tipc_msg_validate()
only enforces a header size in the range [MIN_H_SIZE, MAX_H_SIZE], so a
LINK_CONFIG message as short as MIN_H_SIZE (24 bytes) passes validation
while the media-address read reaches up to MAX_H_SIZE and the node-id
read reaches MAX_H_SIZE + NODE_ID_LEN.

A node always builds discovery messages at MAX_H_SIZE + NODE_ID_LEN
(tipc_disc_init_msg()), so a shorter LINK_CONFIG message is malformed.
Drop such messages before the reads so the media address and node id
are taken from received data rather than from uninitialised tail room
or memory beyond the buffer.

A crafted short LINK_CONFIG datagram otherwise makes tipc_disc_rcv()
read past the received message data when a bearer is enabled.

Fixes: 3d749a6a26b0 ("tipc: Hide media-specific addressing details from gen=
eric bearer code")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 net/tipc/discover.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/net/tipc/discover.c b/net/tipc/discover.c
index 3e54d2df5683a..daf5f11fc82b4 100644
--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -217,6 +217,20 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *sk=
b,
 	}
 	hdr =3D buf_msg(skb);
=20
+	/* A discovery message carries the sender's media address within the
+	 * fixed-size header and, when 128-bit ids are advertised, a node id
+	 * appended after it.  A node always builds these messages at
+	 * MAX_H_SIZE + NODE_ID_LEN, so drop anything too short to hold what
+	 * is read below and keep msg2addr() and the node-id copy within the
+	 * received data.
+	 */
+	if (skb->len < MAX_H_SIZE ||
+	    ((caps & TIPC_NODE_ID128) && skb->len < MAX_H_SIZE + NODE_ID_LEN)) {
+		pr_warn_ratelimited("Rcv corrupt discovery message\n");
+		kfree_skb(skb);
+		return;
+	}
+
 	if (caps & TIPC_NODE_ID128)
 		memcpy(peer_id, msg_node_id(hdr), NODE_ID_LEN);
 	else
--=20
2.53.0
From nobody Mon Jun  8 04:15:17 2026
Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com
 [209.85.222.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6A923E717A
	for <linux-kernel@vger.kernel.org>; Tue,  2 Jun 2026 13:36:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780407378; cv=none;
 b=lV94apoC3JqHDJGPakywco4IrRBId+RqrSKEMnQjPjOvwGgudBESCdUkxjgiAAyhZxBrVkfMkvwVuouuZMB9iM5axAELlYSwK28XBPtG9MziBzv0l1aX7mmtIzanBJiMjOsZcdPcWdTkzoBUBpJCn4GPEP6JiEnz/z8f33DBW9o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780407378; c=relaxed/simple;
	bh=+FB2mNWD+mMTqn+F3bRCt0nRITKgPpAcXTfxbti41GQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ryCDwprZRBgc0es2d1ZQXNBhmhpkIap0aUi1F+CnT2lqLyKrDh4fl9mbgVLXXXDodmPOgpgIItB1v7b09pDT46CQX8XddqmWVkjOdEW83lAc4YTpfdFX7S1stIP8eod0pLaM2EmOk+k950hytyAd9D/CjcZ3aGEA7JjoExOfVjg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Uc9R733G; arc=none smtp.client-ip=209.85.222.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Uc9R733G"
Received: by mail-qk1-f182.google.com with SMTP id
 af79cd13be357-91550eca866so387238085a.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 02 Jun 2026 06:36:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780407373; x=1781012173;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yRqKUEmLg14tZiwShSZMSTmsfzqKmm+Rz87fQO4vv/I=;
        b=Uc9R733G+cOXJQmf/GRCdjld2bKOp2SwYWqTcjlPb9gNGuZCZwJHrV/7ffi2hcLqvI
         GcLC3ucQDgxas4KV51XsJTuuOwAIzRCUoGthgU+nXIgXtxlj/ESHQS7vXw+rkR74Kvyi
         ThmZLztLToL9OG5mO7itBUBi/XKQuVO80fez9ozxBwgRVyEtOnE+zOixWIOTgSUXhB64
         ocYQn5tJWyg9BGO5zz0jEyFOhS5QtQEwrS5CechsRc/YdT7CHIUNCxhVFdFM6KR56FVM
         WHeuuja0Dfq9sfz13J2Z0Kh0TFNSFASDl+tak7Kfj+7ufrA4mAZXrNvt63fGlDs1vCPv
         J9jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780407373; x=1781012173;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=yRqKUEmLg14tZiwShSZMSTmsfzqKmm+Rz87fQO4vv/I=;
        b=OHKt7lTxU9nGvVhe7Ki5IPqphad8RGrruOvLZnQ6eQl4UL1oEYrJG5PWU1+avrdBOk
         SreaO4MU2QjdA31X4Y0Jkh4kaIuRLPwtw/Guzdn2XxD9P91DhYrStQBOmG+TuQ3yT+v1
         xcvZb8DzUtpuf57YTg7cqB5CflOn+XBk4G8h5ExC3hSaIWlJFYiRueIPpuqfBhz8LSKp
         R7gb7kKU552LKedxnrufcv3Tfe/XAxcfSFYiSd4r5vhruAax/tYlyPYuDjMylVK+yhK+
         OzGoq41ZJrJQ1XUS+8jUc4slXsZjo0+qLtUm/UZqVX88SRIA01RLOcnVVq9NkNGIqsd3
         wScA==
X-Forwarded-Encrypted: i=1;
 AFNElJ8QuhIAqEX0il2ampHkPaUj+vZHgEpcRPhuxTJV6F8dp1e3QlnugKfw+PYrRJrwMBsD70SvQ2Wiw/zDMaw=@vger.kernel.org
X-Gm-Message-State: AOJu0YzMJLRFyVnGhZXQNhTeF/SAig++SqG9uOhyQAwk/+c7bMHjFZ0y
	IOTuWjWHCknyiQQZql/5GU1QhajFKzZZ6PQvZ9M71hNAtzIN9M/GCijB
X-Gm-Gg: Acq92OHuQKbOeHSWTsH2k2Inezxb6U2pg3TsyglCQNlQGZ92LnQeVSH9D+sLosQP70W
	hEG0D/wR70v+vA5Co6aFZKrJlayyo9N7qck3OrEXAfzyy25rGyns0PD03wnzDBB6R/RH7Q7WEXF
	wiL4ebPqX2+T04aVeWsvePZ6Stbp2VyIYPi0AeTZ2+fLQQ1DGMKUgtoxFvVBoZZdPGh91AmjA2X
	iC+HFJBGDS/p6vuh6ytaKVgmAVx/FsODTmHSRifcCvRJmqJ8y5mMRuqjHeVjwB+hjV0MFvULUSF
	VfilpDMlX22S+Yw+m6AQNs0u0dLBfNfTfOZ9qOryAwYInvFoTTu+/xB0yp8jXwcm/LNUojCamo9
	YFeq/LXAvO4kF2+IOlYj3XZs3bFYbSZioeJAhSDXWaLQyGDON4dFITlyfOn75GXaaTf1uLF2NS3
	qAOWiULZCDRfOt3jXzSWMbKbe+MrRb+h+jgdcsWznzHjX24U7dHW4oaZ+DArIMpHb2M+HzF4Qe5
	vpqKJYGcDUcwqyzbFFXh/X0gQYBeyE=
X-Received: by 2002:a05:620a:4015:b0:915:7b5e:a4c4 with SMTP id
 af79cd13be357-9157b5eb1fbmr401346585a.45.1780407373453;
        Tue, 02 Jun 2026 06:36:13 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-915721f7d75sm346036285a.18.2026.06.02.06.36.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jun 2026 06:36:12 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Jon Maloy <jmaloy@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
	Ying Xue <ying.xue@windriver.com>,
	netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org
Subject: [PATCH net 3/4] tipc: prevent snt_unacked underflow on CONN_ACK
Date: Tue,  2 Jun 2026 09:35:54 -0400
Message-ID: <20260602133555.769727-4-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260602133555.769727-1-michael.bommarito@gmail.com>
References: <20260602133555.769727-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tipc_sk_conn_proto_rcv() subtracts the peer-supplied connection ack
count from the unsigned 16-bit send counter snt_unacked without
checking that it does not exceed the number of messages actually
outstanding:

	tsk->snt_unacked -=3D msg_conn_ack(hdr);

msg_conn_ack() is read straight from a received CONN_MANAGER/CONN_ACK
message. If the ack count is larger than snt_unacked the subtraction
wraps to a near-maximum value, leaving tsk_conn_cong() permanently true
and starving the connection of further transmits.

Cap the ack to the outstanding count before subtracting. A peer (or,
for a local connection, the connected peer socket) can otherwise wedge
a TIPC connection's send side by sending an oversized connection ack.

Fixes: 10724cc7bb78 ("tipc: redesign connection-level flow control")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 net/tipc/socket.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 9329919fb07f0..9c739a3cea126 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1362,9 +1362,16 @@ static void tipc_sk_conn_proto_rcv(struct tipc_sock =
*tsk, struct sk_buff *skb,
 			__skb_queue_tail(xmitq, skb);
 		return;
 	} else if (mtyp =3D=3D CONN_ACK) {
+		u16 conn_ack =3D msg_conn_ack(hdr);
+
 		was_cong =3D tsk_conn_cong(tsk);
 		tipc_sk_push_backlog(tsk, msg_nagle_ack(hdr));
-		tsk->snt_unacked -=3D msg_conn_ack(hdr);
+		/* Cap a peer-supplied ack so a forged value cannot underflow
+		 * the unsigned counter and wedge connection flow control.
+		 */
+		if (conn_ack > tsk->snt_unacked)
+			conn_ack =3D tsk->snt_unacked;
+		tsk->snt_unacked -=3D conn_ack;
 		if (tsk->peer_caps & TIPC_BLOCK_FLOWCTL)
 			tsk->snd_win =3D msg_adv_win(hdr);
 		if (was_cong && !tsk_conn_cong(tsk))
--=20
2.53.0
From nobody Mon Jun  8 04:15:17 2026
Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com
 [209.85.222.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D40FA3E7BA3
	for <linux-kernel@vger.kernel.org>; Tue,  2 Jun 2026 13:36:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780407380; cv=none;
 b=k/rC47UYR962uzi8e6CLQz3Sek87cQGb9BbJVJDgT7WrSWH5XqnOfQDFwyEul6PV+RdiSN7NcDIsOaX+gmeE373hydk9Hx03SXQsDO/lDfyFRbFH3okgGImwJvomNXm4O5klwpIzATkOwJe/wrdtLqlgQz6cziukyqfIoukiQd8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780407380; c=relaxed/simple;
	bh=c4o/bCu/h6uZYm+FOxrtLd0Q+cspTiS0IjGm8quOsE4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=jgdh7cxJUt0UMKDLRqYTJJIvv5jHqX54lN47vYEDS03iX0d1FHR7KG7nZEta90UScGf82LGhsL4ATM3WuHpEwHEE95+1zNzlt0YH3RXhwk5PCd5HucAcNSW5lHv4B7ncR1fk6SlOs7NPGN5IT8GhxvWl0bgJ24G4UnZLO16Rycc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Tnlab5dP; arc=none smtp.client-ip=209.85.222.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Tnlab5dP"
Received: by mail-qk1-f178.google.com with SMTP id
 af79cd13be357-91564c3a968so209150385a.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 02 Jun 2026 06:36:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780407375; x=1781012175;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=skC62kgHSJhELJGedMuEvE9z7SLN9uVB1FWz8qFfmZo=;
        b=Tnlab5dPfIT7Ej4Z6L65Wx1EUSUw+jpFhQAO35RhLScHcUXFFQNMDN0NyGhe0DEIV2
         j408eaKMd3uIv6aoONKlxkeg6CvY5bpXq5hIwxJ68cC3K9ahTrIaiTWDcRIe4LRiDpbR
         yZou1zvx+7JTJtAMgy+obOoCx16QVHKuKUg8ErrSuSv8LNMlr7UK8Sxw/vHbxHCGROTU
         ZbDWfA8q3SuL7dJpQ1IAG69S521vsxN6KazI2PZtRcsTdcJGPf5ZQSu5ZuVmC7VgO3cP
         HCOO9lAZqgl6dtBuDmY7Z4mnPhtOEXnvedzZwfWynAvGDBMJ6m72k11HC26sk8m8RWHH
         5zIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780407375; x=1781012175;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=skC62kgHSJhELJGedMuEvE9z7SLN9uVB1FWz8qFfmZo=;
        b=LQvGgMx5XnrF93gHM3XFKWfepu1KYDLABaXijy9T4h3EMMJGpdPWvl7rMQ5vU/r5Sd
         XpKLULJMiloK+OIO7LMQ3pYLlt+H3ejanvbjO0CsXDlusrmZ5BcX8NtjQ0SMsrOdzvfA
         tCMrjSDj73Wvsr/lghKxhxBXr9tVaFUQvxqquherOTohEYue/pyMH/3dV+XkxiWsT9g9
         cf1muJZVR9rPMVvba95omsTlDQSdjp39ys4wVzk2QRwHVoPxyQmbCfMLdgr6oL6gkmiK
         lNCQxyr1IcYNhfsCVx5CGiFd1jaTSUa+hpjkCvhs5LNLovpKlSLUZr2jQWPnOm1GgCE2
         nHJw==
X-Forwarded-Encrypted: i=1;
 AFNElJ+/CTN7lGnoYQoKTHcNaCRgSRk4SLjQyoRsko30J7SVX043H4lHGjYZ1aIhxTErBKi78UZyrBCugGWTSq4=@vger.kernel.org
X-Gm-Message-State: AOJu0YyHE3kpjLg58uhVJ7Pcz5lcPixvMvaZPMspes/buP0mqfGjC9cK
	jVRPot55DFTuBlSSoO36KcR+5imdO6hq5dsNZ6LV2li4Yadry7ftV1M7
X-Gm-Gg: Acq92OHNR6XfXU8GOx+eTZUezfi31z3Th4O5qZhReBNeklAF4BqQqs/moKVDtZzMGzN
	O1cyKDUTZa+6ADmGhHwGHf1Vouys2GJHR1Qsjs9tlOU/AXJ6qdZ6Ir/nAVx8ohSxo4ghrJYyzCi
	Qbyg49Anf87n3XRdXmB293XSW2IU7mtjTpQxXiD58Af+xTI+z6GybnpbJtmjqxl1VcXrkbS4q2y
	wwlDpJcANHjfYMPQTCjxD5f2LHD5Kz6UDTB4vN8gQb/pShYK1bo/2BCfjGwb2NrZHY6OGUgZPOB
	rw3zrQXpZpkJWKNeurMEt5LSxrBkG46sLLCFPHL2tMa+ugJCqNjFKLVzzzL2KpkcZsU2KIBn4cM
	HzsKdN6p8+yNQ4ZqP9yogufK365031uEWQ/LCJu14WQ9BqZ8PTdPt16vZwmx2foj1Vs4Vt74Nzm
	rcarqjx5X8ujkk9Dh0hmNkpMHWvJi9DvRRkBAsstZXQRXqNdWVb8HX3coEov9aQGGWyOFgIkAEv
	kdrLqpT3ruaTauDLRMgoY/KrPVJwH8=
X-Received: by 2002:a05:620a:2592:b0:912:5d2a:4bd1 with SMTP id
 af79cd13be357-91578039e1emr555840385a.40.1780407374609;
        Tue, 02 Jun 2026 06:36:14 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-915721f7d75sm346036285a.18.2026.06.02.06.36.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jun 2026 06:36:14 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Jon Maloy <jmaloy@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
	Ying Xue <ying.xue@windriver.com>,
	netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org
Subject: [PATCH net 4/4] tipc: reject inverted service ranges from peer
 bindings
Date: Tue,  2 Jun 2026 09:35:55 -0400
Message-ID: <20260602133555.769727-5-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260602133555.769727-1-michael.bommarito@gmail.com>
References: <20260602133555.769727-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tipc_update_nametbl() inserts a binding advertised by a peer node using
the lower and upper service-range bounds taken directly from the wire,
without checking that lower <=3D upper. The local bind path validates the
ordering (tipc_uaddr_valid()), but the name-distribution path does not.

A binding with lower > upper is inserted at the far end of the
service-range rbtree (keyed on lower) where no lookup or withdrawal can
ever match it (service_range_foreach_match() requires sr->lower <=3D end).
The publication, its service_range node and the augmented rbtree entry
are then leaked for the lifetime of the namespace, and there is no
per-peer cap equivalent to TIPC_MAX_PUBL on locally created bindings.

Reject inverted ranges in the network path as well. A peer node can
otherwise leak unbounded binding-table memory by sending PUBLICATION
items with lower > upper.

Fixes: 37922ea4a310 ("tipc: permit overlapping service ranges in name table=
")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 net/tipc/name_distr.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 190b49c5cbc3e..b4ff074a2babd 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -283,9 +283,18 @@ static bool tipc_update_nametbl(struct net *net, struc=
t distr_item *i,
 	struct tipc_socket_addr sk;
 	struct tipc_uaddr ua;
 	u32 key =3D ntohl(i->key);
+	u32 lower =3D ntohl(i->lower);
+	u32 upper =3D ntohl(i->upper);
+
+	/* A peer-advertised binding with lower > upper can never be matched
+	 * or withdrawn and would leak the publication; the local bind path
+	 * rejects such ranges, so reject ranges learned from the network too.
+	 */
+	if (lower > upper)
+		return false;
=20
 	tipc_uaddr(&ua, TIPC_SERVICE_RANGE, TIPC_CLUSTER_SCOPE,
-		   ntohl(i->type), ntohl(i->lower), ntohl(i->upper));
+		   ntohl(i->type), lower, upper);
 	sk.ref =3D ntohl(i->port);
 	sk.node =3D node;
=20
--=20
2.53.0