| Message ID | 1459330475-2220-2-git-send-email-kadlec@blackhole.kfki.hu |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Wed, Mar 30, 2016 at 11:34:35AM +0200, Jozsef Kadlecsik wrote: > Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that > the TCP option parsing routines in netfilter TCP connection tracking could > read one byte out of the buffer of the TCP options. Therefore in the patch > we check that the available data length is large enough to parse both TCP > option code and size. Applied, thanks Jozsef. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 278f3b9..7cc1d9c 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -410,6 +410,8 @@ static void tcp_options(const struct sk_buff *skb, length--; continue; default: + if (length < 2) + return; opsize=*ptr++; if (opsize < 2) /* "silly options" */ return; @@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return;