Security News > 2021 > November > Critical Linux Kernel Bug Allows Remote Takeover
According to SentinelOne's SentinelLabs, the bug in question specifically resides in a message type that allows nodes to send cryptographic keys to each other.
According to the researcher, that common header contains a "Header size" allocation, which is the actual header size shifted to the right by two bits; and a "Message size" allocation that is equal to the length of the entire TIPC message.
"The message size is correctly validated as greater than the header size, the payload size is validated against the maximum user message size, and the message size is validated against the actual received packet length," Van Amerongen said - so far, so good.
The size allocation for this is the message size itself, minus the header size.
"There are no checks for either the [key length] or the size of the key algorithm name itself against the message size," the researcher explained.
The message-validation function only checks that the message size in the header is within the bounds of the actual packet: "That means that an attacker could create a 20-byte packet and set the message size to 10 bytes without failing the check," Van Amerongen added.