Commit 1fbe8eb8 authored by Hideaki Yoshifuji's avatar Hideaki Yoshifuji

[NETFILTER]: Fix signedness overflow in ip{,6}_tables.c

Bug discovered by Olaf Kirch.
parent 9dc49036
...@@ -1529,11 +1529,16 @@ tcp_match(const struct sk_buff *skb, ...@@ -1529,11 +1529,16 @@ tcp_match(const struct sk_buff *skb,
== tcpinfo->flg_cmp, == tcpinfo->flg_cmp,
IPT_TCP_INV_FLAGS)) IPT_TCP_INV_FLAGS))
return 0; return 0;
if (tcpinfo->option && if (tcpinfo->option) {
!tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph), if (tcph.doff * 4 < sizeof(tcph)) {
*hotdrop = 1;
return 0;
}
if (!tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
tcpinfo->invflags & IPT_TCP_INV_OPTION, tcpinfo->invflags & IPT_TCP_INV_OPTION,
hotdrop)) hotdrop))
return 0; return 0;
}
return 1; return 1;
} }
......
...@@ -1545,7 +1545,8 @@ tcp_find_option(u_int8_t option, ...@@ -1545,7 +1545,8 @@ tcp_find_option(u_int8_t option,
duprintf("tcp_match: finding option\n"); duprintf("tcp_match: finding option\n");
/* If we don't have the whole header, drop packet. */ /* If we don't have the whole header, drop packet. */
if (tcp->doff * 4 > datalen) { if (tcp->doff * 4 < sizeof(struct tcphdr) ||
tcp->doff * 4 > datalen) {
*hotdrop = 1; *hotdrop = 1;
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment