From nobody Mon Jun  8 05:24:51 2026
Received: from mail-qk1-f171.google.com (mail-qk1-f171.google.com
 [209.85.222.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A1533BE632
	for <linux-kernel@vger.kernel.org>; Sat,  6 Jun 2026 19:14:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.171
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780773273; cv=none;
 b=u/+944tGbkADuzZN6CF7LyDf49K5v9o93615zeKCAMcXYGDQrEZLQt1gk0YpDnJY2aWs/5XGJEL8xOtAMIuqsVikN7oKQ6QA+51cPA1OYcsblS6T5bPTXBFp/eYbW8ZXDr7aIlY6J1q/XlOXMSlEF6YN0djpbe8J5QIzqVpx4UI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780773273; c=relaxed/simple;
	bh=ZNWWAVNfC9RmhryDBGopsCMLOBQ2uMLl+zRSZ1fBt4E=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=i2q2IukfN4cv3r8De36jj8iGzNA6YV0QMuNP0mE3mRA/b7kv+whV6SwRgOh+sbObBsv7aOsUx+Dwte4cHrkEDRBSeLjP9jzpDPeCZAGAfTgoPyM8X1iZOTz1mAGzRMoPJGCjuVi0MLkHUZ+n1WpPO5q5fWI24KPR8qg3ebFQYYk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=hCsv7nO/; arc=none smtp.client-ip=209.85.222.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="hCsv7nO/"
Received: by mail-qk1-f171.google.com with SMTP id
 af79cd13be357-9158643e538so279751585a.1
        for <linux-kernel@vger.kernel.org>;
 Sat, 06 Jun 2026 12:14:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780773271; x=1781378071;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=xPe7RROwML8YBDC9iBsnC3XTfs6XjaM8KgeZwP62gHY=;
        b=hCsv7nO/m08km98c5OH5PlYLTPM75hCRY5tfm9PaE2xLdiZy8J1CLbGCuK1WbyB1a/
         u++UicEBYGgKxCo74NrY3nk2tjTOKVDFxuYoYM3B2jPpMKvjTcc+nuZop2brzoPjId77
         B7acPbElTpZ5Vw9vFvomTid6ZbH4Rj6EAcdggJhphB9sUt2CMNZSmLGjue1cbVNDdaaa
         EkQwsZpCe7D1FhxAotGsiMzwwbxzlejZycCN0eGnycQ6+CzPl/6VBQFU69ftjsmTmJkY
         JcIN7E6K46/M7wlAsXUBmyd/zX3yLaeT9dryKbMn3g2UcSHruwjxE9xAfgdAAqyhatI2
         wUzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780773271; x=1781378071;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=xPe7RROwML8YBDC9iBsnC3XTfs6XjaM8KgeZwP62gHY=;
        b=M0dvdXsM272Hvmt4gXzmcDr10zOvd7eYYk8ircMsehDZW+tuqtOk73wilBA0pNhQ27
         LMkOBVwM+Q1moWZjzMhqkmZz42Nw/k2ZDMcb/yPGkcNOuJEbMSuxPj9eiRJNT/CjRUWt
         juWJyh448h2Z/61h1ms7u5V/B8PFYyi79m1VdrZscSHio4AUAde5twcLiVIF2+xc2cP+
         KHnf4pDg6Widg+dLeoDptunnxV7Zf2VdO8EpMtq/kPdscDZ63yXRhmwl9mkFVHOCRpF3
         56GSH5AKdfs1PLWHukmMkOi/+ZcuOP8PLR6nn6HwBzw5yphZwCgnu7KNCaY+mvVU8vSX
         QK2Q==
X-Forwarded-Encrypted: i=1;
 AFNElJ9zui70R9BYXz2bhUkITCxGLiCFVGVC9ypbY1PQ+lP6oc0iIbP6N1Td4k1avuc+HMVgiKqZ6QJ9515qjYQ=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy3gUJSPjKGsHxrKCNfJHyHr9dKPr8CXf/YftHKDi5Ake626zeq
	iW1WmwsdL03Vah01tozWyfBV680JbFVziIjl9xzcF50K6xqHnuJLZ1TLEmMuUYkIkJI=
X-Gm-Gg: Acq92OES70YkNdgkuD2cmAmHuL0f1XN1VDrhPrqmDc9KThzMjzTkMLmqpOFnucEK7Ub
	UHDAKS9Yhom+R26zuuD0yniLoqRnvMX89wkguR2+NSUJyLCTtBS2F9EAYmCzg4/WNGqnOiqoV4N
	lZ5kwg6B162uIiB6Xnpu8ZvhL50cJNbIHGn2AIgXXdUocJyH2oXcf7dqYaqtmMOvvMQrn+uv/Ux
	kLk2TuxaSeOW/IHEc3sooZ+cyLN/08x1sJonK/EvO/yxSKouk7WKWo2SAzBYfU21KjogtfkHR3C
	m782/sBGFM2acezuQ7z7GRrRGtAPRGvi/Gj91rFDa7GUgEWfmlMqK8X+4EJtdsaLZwYsrvMPsFo
	oIIU4QFsOoZP1AoltmRJ0GGadf6XDifguH4Y79Fm5oL/6GWz9xZCZTOqrbLQrZB+V8jIwVZ+wET
	I9OkcGuGIZk6pDHzHk33AGpEgm5NVrZ0JvKkf3s21D+8RvqIADMJtAwxLqZU+SYe7AUE594KQAU
	bastQ6IV9/4hrw8tyX5GULqQvJAhxs=
X-Received: by 2002:a05:620a:414f:b0:911:9e67:44cb with SMTP id
 af79cd13be357-915a9d6ed13mr1563014285a.38.1780773270628;
        Sat, 06 Jun 2026 12:14:30 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-9158a00a4f4sm1311699285a.3.2026.06.06.12.14.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 06 Jun 2026 12:14:28 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Jon Maloy <jmaloy@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
	Ying Xue <ying.xue@windriver.com>,
	netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org
Subject: [PATCH net v2 1/4] tipc: require net admin for TIPCv2 netlink
 mutators
Date: Sat,  6 Jun 2026 15:14:10 -0400
Message-ID: 
 <e5540b9165e1e54c98652383ef3c00d4d74d692f.1780766454.git.michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780766454.git.michael.bommarito@gmail.com>
References: <cover.1780766454.git.michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

TIPCv2 registers mutating generic-netlink operations without admin
permission flags. Generic netlink only checks CAP_NET_ADMIN when an
operation sets GENL_ADMIN_PERM or GENL_UNS_ADMIN_PERM, so a local
unprivileged process can currently change TIPC state through commands
such as TIPC_NL_NET_SET, TIPC_NL_KEY_SET, TIPC_NL_KEY_FLUSH, and
bearer enable/disable.

The legacy TIPC netlink API already checks netlink_net_capable(...,
CAP_NET_ADMIN) for administrative commands. Give the TIPCv2 mutators
the equivalent generic-netlink gate. Use GENL_UNS_ADMIN_PERM for
network-namespace scoped operations and GENL_ADMIN_PERM for
TIPC_NL_MEDIA_SET, which updates the shared media defaults rather than
state owned only by the target network namespace.

A QEMU/KASAN repro run as uid/gid 65534 with zero effective
capabilities previously succeeded in changing the network id and node
identity, setting and flushing key material, and enabling/disabling a
UDP bearer. With this patch applied the same operations fail with
-EPERM.

Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api")
Link: https://lore.kernel.org/all/20260604163102.2658553-1-dominik.czarnota=
@trailofbits.com/
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
v2:
- Use GENL_ADMIN_PERM for TIPC_NL_MEDIA_SET because it updates global
  media defaults, while keeping GENL_UNS_ADMIN_PERM for netns-scoped
  mutators.

 net/tipc/netlink.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index 1a9a5bdaccf4f..5bbe134284acc 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -152,11 +152,13 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_BEARER_DISABLE,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_bearer_disable,
 	},
 	{
 		.cmd	=3D TIPC_NL_BEARER_ENABLE,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_bearer_enable,
 	},
 	{
@@ -168,11 +170,13 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_BEARER_ADD,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_bearer_add,
 	},
 	{
 		.cmd	=3D TIPC_NL_BEARER_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_bearer_set,
 	},
 	{
@@ -197,11 +201,13 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_LINK_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_node_set_link,
 	},
 	{
 		.cmd	=3D TIPC_NL_LINK_RESET_STATS,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit   =3D tipc_nl_node_reset_link_stats,
 	},
 	{
@@ -213,6 +219,7 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_MEDIA_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_ADMIN_PERM,
 		.doit	=3D tipc_nl_media_set,
 	},
 	{
@@ -228,6 +235,7 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_NET_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_net_set,
 	},
 	{
@@ -238,6 +246,7 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_MON_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_node_set_monitor,
 	},
 	{
@@ -255,6 +264,7 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_PEER_REMOVE,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_peer_rm,
 	},
 #ifdef CONFIG_TIPC_MEDIA_UDP
@@ -269,11 +279,13 @@ static const struct genl_ops tipc_genl_v2_ops[] =3D {
 	{
 		.cmd	=3D TIPC_NL_KEY_SET,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_node_set_key,
 	},
 	{
 		.cmd	=3D TIPC_NL_KEY_FLUSH,
 		.validate =3D GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.flags	=3D GENL_UNS_ADMIN_PERM,
 		.doit	=3D tipc_nl_node_flush_key,
 	},
 #endif
--=20
2.53.0
From nobody Mon Jun  8 05:24:51 2026
Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com
 [209.85.222.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3587E3BF699
	for <linux-kernel@vger.kernel.org>; Sat,  6 Jun 2026 19:14:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780773276; cv=none;
 b=HJmRy23tkJs9jvWhDOW4V1EgXCGr8Z5voCroGoRrcLI2jXqJxhEhRK0JfmYEgDmVdVAl+8a+UdNd/FW/rlXEo6S6SuFbnHCP5CF7n9BzLsYKapSD8XkX8NbAJGWQYobvmalOGLj89MwTnnqwrqqqDPKLlbv/OqNE0vgX2CMXA9s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780773276; c=relaxed/simple;
	bh=7Lj0FqVDmeiNPWCn3u/fKwFl3wYP02Jhmq4tu2IuAwU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=uZEHJ7sHbgYjkuTDizlwEDMrsbRvCJjIqF6CxIiniChH4+VwxO22KiFqFLY/Dorr8VMSFVwgUm+5DnZsQGsX5Z4h19e6i4t1yG0owrAk156fzmLUyOZmQUyxhmej0XBgz7VIiNXnVyBLVezcpNebV9dIBbhZJ3Yr2xD9EbWKVxs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=IxUY91m+; arc=none smtp.client-ip=209.85.222.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="IxUY91m+"
Received: by mail-qk1-f182.google.com with SMTP id
 af79cd13be357-9158c621ebbso366273985a.2
        for <linux-kernel@vger.kernel.org>;
 Sat, 06 Jun 2026 12:14:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780773272; x=1781378072;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vnT0GMlKGTyqTQGZDUa8kd6IyJCEjxPnkabKrmHLnAA=;
        b=IxUY91m+nA0/oU1RfhEcEqEw/Bakf5U+1aQtJbS/8aR2mwreDnUilff8xbNQZ9MAK9
         XOSWuIuSHnNRXeBA6N9h6ejTIYc2hkY/aQQxYcaWGeDjIcDlzPkMg6wOoJfKTlDQ17nR
         zrDK6kj4f4m9HjH81pG6qijPg9zAhNGHW1vEVA9mnkxfMtMcFONO66R0Ls19MwO2v7+E
         Qx0sSLI/amcq9/9Oq0KUa+vIZSC7fW6WMaTYpxEGtrkmQCQ71yQvVWIEmyg9AOErDmYi
         2wiVlNq/dFhmS70th0i2m6phdft8HAg/pvB6DmfNEHy9gZSso3Cl0KcbvJL2pkgdDKAK
         P8Xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780773272; x=1781378072;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=vnT0GMlKGTyqTQGZDUa8kd6IyJCEjxPnkabKrmHLnAA=;
        b=LvJvqMwuZSbmNONpQHIzLxau1tQGGaKaRb0McFy0U++I9oZVWK+PWCZjrfIHiaOu4S
         42VzjJnk1xmtBgJ7Q8jFnI4JqP7TCo44jcBkYg7KKiYligHFIEh9KuDRp7TjMGKlIbc7
         T8E74H0smd/ty9Miuraf/N/8fiNIXpkiJWnhMZe8HCntaCgaETqYbnPO+On7htk43KxI
         qm7bP8Il8wlg8ZGOB7MDXvtQc3kkQevRpZWbiVt03+srHdkuKlY52Yet58KlBy41EMcK
         /3e7/qFcTFr1qKUEF8sPVGRxudfXk2bqpt6WG1FKhOkAEdblunB+Q2QqAmJ3C/dy6lLJ
         UICw==
X-Forwarded-Encrypted: i=1;
 AFNElJ8Od63iIpSh8jp09fGoQpIVr4EKg6m3kpxexlMX5v08uEWoO83L8PFu+sRtn0Jp6tkgLsXwNsqEDaoCVQU=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywr0X8EOSeJ8Z566V43pZV1IN1L7pZtCgOx3sb9ytHNV3hpmSmt
	FnLjHpTvXRhCiL8Ll7qTAXpx+NmXv+hJQLyoqdqOY57f4aCgUktP17kG
X-Gm-Gg: Acq92OFLLFCOGrqtEo9yMQhIRSAYnEx8gOFIBCWRBj7cRDmiI8jKODYcjpdJ2npAGQP
	tb+ROHr0X/uCR/nNDMlSE/AlWqchHYsOAlBQ2EnjHXPBAKcfO/XrgC9wE5bCn4x/Ub3Pgbi6Q38
	Tmy2GB1PFmeXiXaXbKa2RrL0pK2nVDytOG4Yb/nf6MfOmpFFO7Bo1Y2MYPNHGiKJtnAcq0cpD6K
	i8By9B57fhlM4j/7creTmAqDa06cNZglOcpJRS01nrCyL/7gaTzZ4kIktn4t3m0MlH4GOXSd0iO
	mm5XkpY+VileCWSx/8dheL7hRSXIsNd0kaIbbBS2sL17G3iG8cHYiDuIsWns0mPFTuGrgyjpHH9
	/59jL+l3JDvCOE1lkdm+wBGJ5009NA1yYk+BrbTboya/RWnolIqjUVKwhylaic06apOyfNViqSY
	hzMSHA0DcQ8MoGK6yBg8ZMiid9CcfOfANBvoBcQBTxcVf0Ly5Z+Nvwws3+YaTahw2v5I/O5Xd7/
	dpZDrlE+AKAA55dq0qw8VDtnkf0My8=
X-Received: by 2002:a05:620a:6011:b0:915:9bc2:8019 with SMTP id
 af79cd13be357-915a9dcbc87mr1702881385a.53.1780773272045;
        Sat, 06 Jun 2026 12:14:32 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-9158a00a4f4sm1311699285a.3.2026.06.06.12.14.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 06 Jun 2026 12:14:31 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Jon Maloy <jmaloy@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
	Ying Xue <ying.xue@windriver.com>,
	netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org
Subject: [PATCH net v2 2/4] tipc: validate discovery message length before
 reading media address
Date: Sat,  6 Jun 2026 15:14:11 -0400
Message-ID: 
 <357fb271180356b1ab2355da9702927f4785f805.1780766454.git.michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780766454.git.michael.bommarito@gmail.com>
References: <cover.1780766454.git.michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tipc_disc_rcv() reads the sender's media address from the fixed
media-info area of the header (msg_media_addr(), offset
TIPC_MEDIA_INFO_OFFSET) and, when the peer advertises 128-bit node
ids, copies a NODE_ID_LEN node id appended after the header. Neither
read is bounded against the actual received length: tipc_msg_validate()
only enforces a header size in the range [MIN_H_SIZE, MAX_H_SIZE], so a
LINK_CONFIG message as short as MIN_H_SIZE (24 bytes) passes validation
while the media-address read reaches up to MAX_H_SIZE and the node-id
read reaches MAX_H_SIZE + NODE_ID_LEN.

A node always builds discovery messages at MAX_H_SIZE + NODE_ID_LEN
(tipc_disc_init_msg()), so a shorter LINK_CONFIG message is malformed.
Drop such messages before the reads so the media address and node id
are taken from received data rather than from uninitialised tail room
or memory beyond the buffer.

A crafted short LINK_CONFIG datagram otherwise makes tipc_disc_rcv()
read past the received message data when a bearer is enabled.

Fixes: 3d749a6a26b0 ("tipc: Hide media-specific addressing details from gen=
eric bearer code")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 net/tipc/discover.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/net/tipc/discover.c b/net/tipc/discover.c
index 3e54d2df5683a..daf5f11fc82b4 100644
--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -217,6 +217,20 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *sk=
b,
 	}
 	hdr =3D buf_msg(skb);
=20
+	/* A discovery message carries the sender's media address within the
+	 * fixed-size header and, when 128-bit ids are advertised, a node id
+	 * appended after it.  A node always builds these messages at
+	 * MAX_H_SIZE + NODE_ID_LEN, so drop anything too short to hold what
+	 * is read below and keep msg2addr() and the node-id copy within the
+	 * received data.
+	 */
+	if (skb->len < MAX_H_SIZE ||
+	    ((caps & TIPC_NODE_ID128) && skb->len < MAX_H_SIZE + NODE_ID_LEN)) {
+		pr_warn_ratelimited("Rcv corrupt discovery message\n");
+		kfree_skb(skb);
+		return;
+	}
+
 	if (caps & TIPC_NODE_ID128)
 		memcpy(peer_id, msg_node_id(hdr), NODE_ID_LEN);
 	else
--=20
2.53.0
From nobody Mon Jun  8 05:24:51 2026
Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com
 [209.85.222.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5EBA72690EC
	for <linux-kernel@vger.kernel.org>; Sat,  6 Jun 2026 19:14:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780773278; cv=none;
 b=GFJrMHEfEnXhdQptVRXbksQRQlezLJioQMp+HCeH3F4KmMKE110kDQspkmX89ZKgWhIMoo+HTO09ITbrgq/2LLXN/N65xMOXYgsSb4TULQPSEabPPEzam8uRYMYcbH6R/EE066wt4iO2KHx14f7abg1yAZrOEja4Y3mTuRsGyus=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780773278; c=relaxed/simple;
	bh=/WGTThKiWoXaSPSBRFPFPXRr9IPffFu1oz4NhaY1Lps=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Bj44PF4vKdPrAuFI2eNXR+eQaQnWVszpJ7vIonKazyF/LU76LbIfZevwFAG8pfptUYqGRE701jtNgRMJa1ryfJ7MWjSwqMMUktcsFwUX6HO7+xvrG1Cp+MPqeVJbsyKw2suO8sKF6Bbe6kZ1Gj4h/HVe5DxUgkP7jn4fGKwBKkI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=aUoq7vUA; arc=none smtp.client-ip=209.85.222.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="aUoq7vUA"
Received: by mail-qk1-f170.google.com with SMTP id
 af79cd13be357-91587626ae1so349431485a.3
        for <linux-kernel@vger.kernel.org>;
 Sat, 06 Jun 2026 12:14:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780773274; x=1781378074;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=GjaADf0iYzsBqrk/kDn29iyRmVw1j4V13eigHGwqym8=;
        b=aUoq7vUAiLBJvx9PivNDG3JP9yHFffC/m/QADat2PITOqc57BZIHZkK25tNTvjPVJB
         1qO61ueZ1JatUw0F6gbt3S/u58M1ASW5/wzSfIswe0fC1mLnW1MpOo+4qvzxt4YEiSHM
         tR6ETKUx211ABjX9ODIyhUw8HNuwdT2TopCl0n6k2d7IHJW75yLnApCHSKYN9kXDUKAk
         QM7InWAi8TNiTZNTuANXcNv+hhCPsRRYdUBy6qa3GOljPX54UbfPo1OogK00B9OnXt9O
         jUMmzhs8Xss8ZeQIt31wrGgC7TEWH8hKfAEYK+6aI3CFfQyGAXQtoRb01sR+ZS5KLhc3
         tIjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780773274; x=1781378074;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=GjaADf0iYzsBqrk/kDn29iyRmVw1j4V13eigHGwqym8=;
        b=lLveRveIfAPdqw+1sWNhx4VM6NLAmLCNEtGhwnHaUerTa1/qkVE9a7wTPBjn2io3Xm
         G/R88tSRZkqmGTXU1Dv8OSuDxd2s6kAbcdwV5lkdvFmrvJXR0rQbNud4ifCO+UBkyIMO
         4DeKlg11HbpEw8CVTH7dsKaTVMKlvzdGKVvyWv/DrGXp/yNzFZnAgqhf1yi6ojgs3UHm
         gkkahXS9jRCyTB8eKIJqjSGxlPQv3aGUqZnnTtMRf4TiqgCRHphrqXfl5Vl8fwboOJV1
         JAzm/qqchpwpojcKztmkSKLYBa5d2cyyu5FCixbtXrrnleTgh2z6egVnFFi7Zk3KW6Rb
         Ezxg==
X-Forwarded-Encrypted: i=1;
 AFNElJ9ZbZy3c1mNPHprq41g8bXTvOVRdtvBszOterH52kihjRjpHlxMI3HgHqqHv+gOY9pBftwXd2RXeFZC2lg=@vger.kernel.org
X-Gm-Message-State: AOJu0YyweLtSQeqFgbSZngEKChmvAOsZIURNlM3QNYXEnhKQdrK7Tk8J
	3Jhyr8PkyDDLLhktC0vSknqe4JR+dw08wjPZiV6BX3EqgadNZAUXB84t
X-Gm-Gg: Acq92OFnFjKz5snr3QtdsdTt++5kgm9kSLjBbjAc6KJfNUxqVrG+wgUUAp/bqyTLJxs
	eON4tXB3cNg6TUmjPip6iJZ/aMNSyQgZIx7M0APCFAPvxR9dmVymm4ThBV+FRz4xicM6ojXTchh
	grqIhFLqVSYJ42jGsY5FcV3gG1LmCSNJL8NiE4/m+8eATDX3qiHqxgyCBQzeWMqvVCQb3Tgkc64
	zZr/M/B3Mm6OOWY44J9xuWRpFtwfzkLYW9/PrWY3irT8aQH53g7zjHBTyfCJJsC7WnXEc9Kr9If
	Slskv6mIsQJIn9PcI0UyrEL/OzaGk9iI1p3AA8znwd7rtGhsNRkgJJu0yXP/rg8GOtr+ARWWlQF
	+XU3gPbnYiloAiCpNvJwIUNyN6jzlJNznNiHqCD6I5t9zwTZMP4PwvZtjy9vmdsWBQV+6jFvomC
	jXKz6IQ3LYzuBWvQ9lbO4lyr9emytnxgYDyhK8p9PLKo6huFaFl2+mVxsWivwoyMZ4z/r/oHvQ9
	h6fT2e+7VEjf98j8ACPUvgNdqa/rN5YZICVItnn1w==
X-Received: by 2002:a05:620a:701b:b0:912:1206:ddd1 with SMTP id
 af79cd13be357-915a9c758d4mr1494790885a.1.1780773274164;
        Sat, 06 Jun 2026 12:14:34 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-9158a00a4f4sm1311699285a.3.2026.06.06.12.14.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 06 Jun 2026 12:14:33 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Jon Maloy <jmaloy@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
	Ying Xue <ying.xue@windriver.com>,
	netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org
Subject: [PATCH net v2 3/4] tipc: prevent snt_unacked underflow on CONN_ACK
Date: Sat,  6 Jun 2026 15:14:12 -0400
Message-ID: 
 <63f37dc57a6d2cc614cc466582cd8d69192c720c.1780766454.git.michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780766454.git.michael.bommarito@gmail.com>
References: <cover.1780766454.git.michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tipc_sk_conn_proto_rcv() subtracts the peer-supplied connection ack count
from the unsigned 16-bit send counter snt_unacked without checking that it
does not exceed the number of messages actually outstanding:

	tsk->snt_unacked -=3D msg_conn_ack(hdr);

msg_conn_ack() is read straight from a received CONN_MANAGER/CONN_ACK
message. If the ack count is larger than snt_unacked, the subtraction
wraps to a near-maximum value, leaving tsk_conn_cong() permanently true
and starving the connection of further transmits.

Validate the ACK count at the start of the CONN_ACK block and drop the
message if it acknowledges more messages than are outstanding. A peer (or,
for a local connection, the connected peer socket) can otherwise wedge a
TIPC connection's send side by sending an oversized connection ack.

Fixes: 10724cc7bb78 ("tipc: redesign connection-level flow control")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
v2:
- Validate msg_conn_ack() at the beginning of the CONN_ACK block and
  drop invalid messages instead of capping the peer-supplied value.

 net/tipc/socket.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 9329919fb07f0..80ad973cda16e 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1362,9 +1362,14 @@ static void tipc_sk_conn_proto_rcv(struct tipc_sock =
*tsk, struct sk_buff *skb,
 			__skb_queue_tail(xmitq, skb);
 		return;
 	} else if (mtyp =3D=3D CONN_ACK) {
+		u16 conn_ack =3D msg_conn_ack(hdr);
+
+		if (conn_ack > tsk->snt_unacked)
+			goto exit;
+
 		was_cong =3D tsk_conn_cong(tsk);
 		tipc_sk_push_backlog(tsk, msg_nagle_ack(hdr));
-		tsk->snt_unacked -=3D msg_conn_ack(hdr);
+		tsk->snt_unacked -=3D conn_ack;
 		if (tsk->peer_caps & TIPC_BLOCK_FLOWCTL)
 			tsk->snd_win =3D msg_adv_win(hdr);
 		if (was_cong && !tsk_conn_cong(tsk))
--=20
2.53.0
From nobody Mon Jun  8 05:24:51 2026
Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com
 [209.85.222.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C28683BE646
	for <linux-kernel@vger.kernel.org>; Sat,  6 Jun 2026 19:14:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780773289; cv=none;
 b=U9zetWPNPZHsonr6R5YDnSoSWqWdB38B/2K6BnuTsiOllHNRiDdlas+sk2Gjk8mC02X6OP1iXsao9tV0wAc4owddEhjFXSoUExGjUk6NOksfZm7K+vLui7d8enWWbCBbJMTx6Os8OudouR+yE4Xmk+MXY8JcozhMHY8SNN9kCH0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780773289; c=relaxed/simple;
	bh=Sszw50rv7Mg6jDvOqu2SCztJ2ULaCV1KTY4lCVzTXto=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Pa6pd32NbY9hdScuRfG+RzUVd23K5sc8cL+qv49xBfznNEhbZn9gd/o/sfdg/tS8Ve0cyfqiWGq8IGfnKuXDXZaCjqh8EnDkdlI9PG3yvZ1h2NaNdFn9+mb2tNcIndejIg05doPNRrGughi3VkiOv0IBl/EdLhXkPDIj9ICI1ZY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Ln+/B2qm; arc=none smtp.client-ip=209.85.222.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Ln+/B2qm"
Received: by mail-qk1-f179.google.com with SMTP id
 af79cd13be357-915ab38ac14so291893685a.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 06 Jun 2026 12:14:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780773276; x=1781378076;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=EfUjtqhjGzKf7MdV0m9WZYbk692GT90GzFkKCPUMcRg=;
        b=Ln+/B2qmTQNq07p/Nbck6PrbFlk5Mimj5UxqFI1z2Wme+rbPGSO3OuogDgNs4fq0AU
         QU6kAvLbxBhzfBi5o+9kVrSGLWahwkNhyNSe2NIKZpwtELN6doR2GuZTq2ZmxWu/XX3n
         374WPn3kXE150Px0iXSqlGMmlUUzcbKGiWCvPvYXaw+rzRCE+5Xz6o72H6o2isaGzEy4
         D1Qb+plShmmUgom9ou8ynJNgWKdHg47iyMQFHgXyJerMCdKTCrwxbySdKnk8gk7Bdckc
         di3bwwHysXW0JrBiK5d6HmDZgadYfuBEQLXEtdi8c7rl74YHudKy7rEo2DYXiCgelpo5
         TjPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780773276; x=1781378076;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=EfUjtqhjGzKf7MdV0m9WZYbk692GT90GzFkKCPUMcRg=;
        b=piRy+7TOJFVUmWCYcXP9teGkJz1d5ppGBkuSn+73diKtdPgh3/yEjkk9VE516H6tq/
         zO6Rf2kVjfdnJ2m8iBTg7viJN9hmRxr4FDNG6qlX/Ear1l3eDp0zDE+J2is60aAj6Wvh
         QOMCdQHxaUA3duf8MO0H+pNUBDezzL+CtUR5bIWQB4qCzj4lXwerGHjpW7GNRuWO1Ze/
         M+kxbe+bdL63+Y+zg9r6udqk9J0u6p8qKYv4V4Y2w+w2Tih41lXo46CkXIVmShCqktpH
         3Fn7D21PqkOx5tgedUg8d+S3iXzQHvv5RG4irrJSdjbkG9suWxekfMg3QcMUUQ1XE3+V
         KkaA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/IL4xVJfcEBrZICthzkO9TOH5opcYHfR+rb990Rhq33udA8vCYx6FNL9Or+tWlJJYe/Rq4cEKl9P5zG0c=@vger.kernel.org
X-Gm-Message-State: AOJu0YyWSHJlHXWo8p4z5Ati+yOvjCksfSqiwavYzJh4r5w0z3lw+bhr
	A2OP/jJng1Gjlt0sbN8j7ulffyhLSrCddAYte4y3VOsqy+bv5lURGhYp
X-Gm-Gg: Acq92OEYzP0pTZgmznQZeedKAi0tE8xCMj9F2NJkVV2fyG1k6T54H/INcyBfU7scXF8
	ohDeZ9CwAiDIoaMl9ZcYeqGG0jbDRgxDQDrXAJbRO2rhDNWUk8eufsmn8vE1/YTz3nxkstHwSTl
	uB4WlksTOqgtRqd0kaxYlX81sc1cS/PVURYag3Y2Z8Vv/DGeRq2Kekonjr/Ym2RX3nYtgzx5mHa
	6sG9aB/OITA8xC3iZVzQHUaQRZCPPhNl84HOywNNMJ6EdeH70R2JQ4zs4+Nb1/p7GLegG4pPYvC
	yvCmDNHvG4FxrP8WaPHiV48hHYBKM7xzR0AU0a47LDcJGbCqM1xQvmDewKtnyRxu9HsWQqQF72m
	v3ff5H5MX9uDB/q0U6asKYH12VFknrhwP0bBrlotfs1+p+I5bc+yY9l6lOsDPIfCm8p5kbkQl56
	sdwqXh0aHBJr72q4CbeYtG/5glEA2UpZz7BQDC4Q85CFZyPD4ebo5K25v/rs4piwybQ27ACXbuY
	qhJSsLAznLfIgDK2yGLO+z4Tsfaduw=
X-Received: by 2002:a05:620a:448e:b0:913:7bc8:79ac with SMTP id
 af79cd13be357-915a9cc4880mr1489857085a.26.1780773276142;
        Sat, 06 Jun 2026 12:14:36 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 af79cd13be357-9158a00a4f4sm1311699285a.3.2026.06.06.12.14.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 06 Jun 2026 12:14:35 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Jon Maloy <jmaloy@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>,
	Ying Xue <ying.xue@windriver.com>,
	netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org
Subject: [PATCH net v2 4/4] tipc: reject inverted service ranges from peer
 bindings
Date: Sat,  6 Jun 2026 15:14:13 -0400
Message-ID: 
 <6691aa72214b0741477b479ffe5eb2b272664da3.1780766454.git.michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780766454.git.michael.bommarito@gmail.com>
References: <cover.1780766454.git.michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tipc_update_nametbl() inserts a binding advertised by a peer node using
the lower and upper service-range bounds taken directly from the wire,
without checking that lower <=3D upper. The local bind path validates the
ordering (tipc_uaddr_valid()), but the name-distribution path does not.

A binding with lower > upper is inserted at the far end of the
service-range rbtree (keyed on lower) where no lookup or withdrawal can
ever match it (service_range_foreach_match() requires sr->lower <=3D end).
The publication, its service_range node and the augmented rbtree entry
are then leaked for the lifetime of the namespace, and there is no
per-peer cap equivalent to TIPC_MAX_PUBL on locally created bindings.

Reject inverted ranges in the network path as well. A peer node can
otherwise leak unbounded binding-table memory by sending PUBLICATION
items with lower > upper.

Fixes: 37922ea4a310 ("tipc: permit overlapping service ranges in name table=
")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
v2:
- Reorder the new u32 declarations in reverse-Xmas-tree order.

 net/tipc/name_distr.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 190b49c5cbc3e..da8a5eb6e63f1 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -282,10 +282,19 @@ static bool tipc_update_nametbl(struct net *net, stru=
ct distr_item *i,
 	struct publication *p =3D NULL;
 	struct tipc_socket_addr sk;
 	struct tipc_uaddr ua;
+	u32 lower =3D ntohl(i->lower);
+	u32 upper =3D ntohl(i->upper);
 	u32 key =3D ntohl(i->key);
=20
+	/* A peer-advertised binding with lower > upper can never be matched
+	 * or withdrawn and would leak the publication; the local bind path
+	 * rejects such ranges, so reject ranges learned from the network too.
+	 */
+	if (lower > upper)
+		return false;
+
 	tipc_uaddr(&ua, TIPC_SERVICE_RANGE, TIPC_CLUSTER_SCOPE,
-		   ntohl(i->type), ntohl(i->lower), ntohl(i->upper));
+		   ntohl(i->type), lower, upper);
 	sk.ref =3D ntohl(i->port);
 	sk.node =3D node;
=20
--=20
2.53.0