From patchwork Mon Apr 3 17:55:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 746618 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vxfs822jlz9s83 for ; Tue, 4 Apr 2017 03:55:24 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="oEuQfSjj"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752518AbdDCRzO (ORCPT ); Mon, 3 Apr 2017 13:55:14 -0400 Received: from mail-it0-f65.google.com ([209.85.214.65]:33435 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751883AbdDCRzN (ORCPT ); Mon, 3 Apr 2017 13:55:13 -0400 Received: by mail-it0-f65.google.com with SMTP id w11so8912361itb.0; Mon, 03 Apr 2017 10:55:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=1Htq8Y9Z31gW8CAH/zRhkwZpsRyEVUEjbcTH4q6AzzU=; b=oEuQfSjjruQbNp5uzV5XVteKnK9pf6Wu+La4vaI8iprnQ4q+3uCy/22i1XFE7dNZ8K T9TIjnZY6WE4DhHPWEo0ROGA+n8F+LJu8Z+fyF6vrdvl/mqN+MU8izXkuCnIqUucEw6N +hhD/3FGgOv5AbFr9ZfQSRmAkV+YlEqOC/q1+p3Pa2GjCl/QbFe7Cb/W3mR0qX3cO1NY DxlU/FEX5c0dUMMifltBDwAghyRsiCbXMoYGo8nNy/tJQEBNi29lPr04AODSsPraRrr4 tIPm2a1QAiuZozyIwPku0U2QRhPYq7/TSkw4wBoXo2RvlMmH2g72xnT/SFgRSv523jQX +4mQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=1Htq8Y9Z31gW8CAH/zRhkwZpsRyEVUEjbcTH4q6AzzU=; b=hSFJSojt1lcTzIKnNdGewPZyD50a/+0vXGl+CArO3i7oVMDVKO3pTsDIqnv7ZhyYj1 RXQMtDAGGMEDRF0gNtHRe7SQDxuQc5K59RR+R/Pf9oGFGQlGWjelOx5L2X4a1mI4vSYj qSetahBC+2CLGtIaRkfV+hKS020ad5lTiatKLIyX71F+SidiX2LxwiGB3KdMLTxcTERL jyT8K0JcpLJTckoUhcSuG4HyUqGVX3HjceXAWhRpOvjQoj4YBUSR6IrfmsqzVQWKDIi9 BsBZGLlQSFXlmw9jq46cXhvOYErfVyAGuXrloo/miO2hcBzDM6iBppNl8HHZyKJk5fa/ RJJA== X-Gm-Message-State: AFeK/H3FUhgQZCgzIhu6P4mjUWYk56c0DuSWovkUY+kK3Z/BbWb7lRQ3 7bO8QTWy+MfNnt/xjPM= X-Received: by 10.36.207.193 with SMTP id y184mr10661668itf.1.1491242112297; Mon, 03 Apr 2017 10:55:12 -0700 (PDT) Received: from [10.0.13.197] ([173.243.43.210]) by smtp.googlemail.com with ESMTPSA id m124sm6094271itd.3.2017.04.03.10.55.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Apr 2017 10:55:11 -0700 (PDT) Message-ID: <1491242111.10124.32.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH net] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff From: Eric Dumazet To: Denys Fedoryshchenko Cc: Linux Kernel Network Developers , Pablo Neira Ayuso , netfilter-devel@vger.kernel.org Date: Mon, 03 Apr 2017 10:55:11 -0700 In-Reply-To: <1491132259.10124.3.camel@edumazet-glaptop3.roam.corp.google.com> References: <6c6e2f7505f969d8c2998efff24063ba@nuclearcat.com> <1491132259.10124.3.camel@edumazet-glaptop3.roam.corp.google.com> X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Eric Dumazet Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. Signed-off-by: Eric Dumazet Reported-by: Denys Fedoryshchenko --- net/netfilter/xt_TCPMSS.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 27241a767f17b4b27d24095a31e5e9a2d3e29ce4..c64aca611ac5c5f81ad7c925652bbb90554763ac 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); tcp_hdrlen = tcph->doff * 4; - if (len < tcp_hdrlen) + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) return -1; if (info->mss == XT_TCPMSS_CLAMP_PMTU) { @@ -152,6 +152,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, if (len > tcp_hdrlen) return 0; + /* tcph->doff has 4 bits, do not wrap it to 0 */ + if (tcp_hdrlen >= 15 * 4) + return 0; + /* * MSS Option not found ?! add it.. */