A remotely reachable stack-based buffer overflow in the Linux Kernel’s TIPC module due to a not performing a bounds check in an edge case.

While ultimately the issue is due to a missing bounds check, the code is actually careful to ensure it allocates enough space for the backing buffer, there are several sanity checks at the start of tipc_mon_rcv:

• Ensures the data length is atleast enough to hold an empty record
• Ensures the length matches the expected length for the given number of internal members
• Ensures the length matches the internal len field

Later, when it stores the record, if its replacing an old one it’ll check the previous record’s length and reallocate a larger one if necessary. The problem is that when updating the record, if there was a previous one, it’ll copy that old one into a stack local variaible dom_bef. The variable is allocated to hold the maximum number of possible internal members (MAX_MON_DOMAIN). The problem is that when allocating the record in the first place that value is never considered. So you can send a record that contains more internal members than the maximum value, and later when it gets replaced, the memcpy into that stack variable will overflow.