From patchwork Wed Mar 30 09:34:35 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jozsef Kadlecsik X-Patchwork-Id: 603298 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3qZjBf5sBjz9ssM for ; Wed, 30 Mar 2016 20:33:46 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=blackhole.kfki.hu header.i=@blackhole.kfki.hu header.b=ffkqIl79; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751064AbcC3Jdp (ORCPT ); Wed, 30 Mar 2016 05:33:45 -0400 Received: from smtp0.kfki.hu ([148.6.0.25]:44827 "EHLO smtp0.kfki.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750954AbcC3Jdn (ORCPT ); Wed, 30 Mar 2016 05:33:43 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp0.kfki.hu (Postfix) with ESMTP id F097C67400E9; Wed, 30 Mar 2016 11:33:38 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= blackhole.kfki.hu; h=references:in-reply-to:x-mailer:message-id :date:date:from:from:received:received:received; s=20151130; t= 1459330417; x=1461144818; bh=rIArPrYE5xhi4nmZU8aqMPFegQGWCXqd2Io oXbNTdqk=; b=ffkqIl797wC2LC2v9B4DloH4EzkTBAycCLO13bRDrVkzwEkwhF5 jp0V7w2MjE2OJzC9yIHK+fIRAxSmhbL1NWZfF86cXJ5ZAmhVwgO02HHRrkJ6JWma XeV963Kh84F/4mxro5wswFe3lbA6n7pILSFrqoss8UEk3NYTg98Ui7+k= X-Virus-Scanned: Debian amavisd-new at smtp0.kfki.hu Received: from smtp0.kfki.hu ([127.0.0.1]) by localhost (smtp0.kfki.hu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OdE7ooe4inTy; Wed, 30 Mar 2016 11:33:37 +0200 (CEST) Received: from blackhole.kfki.hu (blackhole.kfki.hu [148.6.0.114]) by smtp0.kfki.hu (Postfix) with ESMTP id D80D967400DC; Wed, 30 Mar 2016 11:33:36 +0200 (CEST) Received: by blackhole.kfki.hu (Postfix, from userid 1000) id A1EFF20678; Wed, 30 Mar 2016 11:34:35 +0200 (CEST) From: Jozsef Kadlecsik To: netfilter-devel@vger.kernel.org Cc: Pablo Neira Ayuso Subject: [PATCH 1/1] net: netfilter: Fix stack out of bounds when parsing TCP options Date: Wed, 30 Mar 2016 11:34:35 +0200 Message-Id: <1459330475-2220-2-git-send-email-kadlec@blackhole.kfki.hu> X-Mailer: git-send-email 1.8.5.1 In-Reply-To: <1459330475-2220-1-git-send-email-kadlec@blackhole.kfki.hu> References: <1459330475-2220-1-git-send-email-kadlec@blackhole.kfki.hu> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that the TCP option parsing routines in netfilter TCP connection tracking could read one byte out of the buffer of the TCP options. Therefore in the patch we check that the available data length is large enough to parse both TCP option code and size. Reported-by: Baozeng Ding Tested-by: Baozeng Ding Signed-off-by: Jozsef Kadlecsik --- net/netfilter/nf_conntrack_proto_tcp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 278f3b9..7cc1d9c 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -410,6 +410,8 @@ static void tcp_options(const struct sk_buff *skb, length--; continue; default: + if (length < 2) + return; opsize=*ptr++; if (opsize < 2) /* "silly options" */ return; @@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return;