From patchwork Sun Apr 1 14:22:50 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Changli Gao X-Patchwork-Id: 149928 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 5308DB6F73 for ; Mon, 2 Apr 2012 00:26:13 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752227Ab2DAOZh (ORCPT ); Sun, 1 Apr 2012 10:25:37 -0400 Received: from mail-iy0-f174.google.com ([209.85.210.174]:40479 "EHLO mail-iy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751878Ab2DAOZf (ORCPT ); Sun, 1 Apr 2012 10:25:35 -0400 Received: by iagz16 with SMTP id z16so3000319iag.19 for ; Sun, 01 Apr 2012 07:25:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer; bh=UTQIbPqHRT7vjs2V3F1XMdsJ42Tp1GA09MdkooTxCn4=; b=VpMd+zxD8P2FZZaVO4hvMJvy1u7nSPfG/NqKtXNtISX925MLtec8z6+lQhMJGI7b10 +rQqHSynLhASGyFEJUJwjQsk027oUbjcK+KPFdgXE/fDTEvQ/Q4XzyreWZjG5ICUb+2N TB7iGyBsm30J2B4rArxzndlnjGgADxcyhMOqikKce3uVqfyBa8k5QnYyMWMCO7rsonGx R10ywyD8pvmsC5Z94b2Mx3932nAK5ivhUK4nFVEXrZpU+az8WmfqXOnhz6HS10erUTGJ qe9w1nwx0CHWaxbttdFnk2JCcH4n4yj3hHqJDlRliQW8ir/CiNFo/Tdp4sPK8+0b/CRP UBag== Received: by 10.50.222.233 with SMTP id qp9mr3714784igc.58.1333290335275; Sun, 01 Apr 2012 07:25:35 -0700 (PDT) Received: from localhost.localdomain ([221.238.113.246]) by mx.google.com with ESMTPS id cg9sm8942822igb.17.2012.04.01.07.25.30 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 01 Apr 2012 07:25:34 -0700 (PDT) From: Changli Gao To: Pablo Neira Ayuso Cc: Patrick McHardy , "David S. Miller" , netfilter-devel@vger.kernel.org, netdev@vger.kernel.org, Changli Gao Subject: [PATCH] netfilter: check the length of the data before dereferencing it Date: Sun, 1 Apr 2012 22:22:50 +0800 Message-Id: <1333290170-26898-1-git-send-email-xiaosuo@gmail.com> X-Mailer: git-send-email 1.7.4.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org We should check the length of the data before dereferencing it when parsing the TCP options. Signed-off-by: Changli Gao --- net/netfilter/nf_conntrack_proto_tcp.c | 4 ++++ 1 file changed, 4 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 361eade..9e446c5 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -404,6 +404,8 @@ static void tcp_options(const struct sk_buff *skb, length--; continue; default: + if (length < 2) + return; opsize=*ptr++; if (opsize < 2) /* "silly options" */ return; @@ -464,6 +466,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return;