Commit 644c7e48 authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik Committed by Pablo Neira Ayuso

netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options

Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
the TCP option parsing routines in netfilter TCP connection tracking could
read one byte out of the buffer of the TCP options.  Therefore in the patch
we check that the available data length is large enough to parse both TCP
option code and size.
Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
Tested-by: default avatarBaozeng Ding <sploving1@gmail.com>
Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent ff76def3
...@@ -410,6 +410,8 @@ static void tcp_options(const struct sk_buff *skb, ...@@ -410,6 +410,8 @@ static void tcp_options(const struct sk_buff *skb,
length--; length--;
continue; continue;
default: default:
if (length < 2)
return;
opsize=*ptr++; opsize=*ptr++;
if (opsize < 2) /* "silly options" */ if (opsize < 2) /* "silly options" */
return; return;
...@@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, ...@@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
length--; length--;
continue; continue;
default: default:
if (length < 2)
return;
opsize = *ptr++; opsize = *ptr++;
if (opsize < 2) /* "silly options" */ if (opsize < 2) /* "silly options" */
return; return;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment