Skip to content

Commit

Permalink
Merge branch 'tcp-options-oob-fixes'
Browse files Browse the repository at this point in the history 
Maxim Mikityanskiy says:

====================
Fix out of bounds when parsing TCP options

This series fixes out-of-bounds access in various places in the kernel
where parsing of TCP options takes place. Fortunately, many more
occurrences don't have this bug.

v2 changes:

synproxy: Added an early return when length < 0 to avoid calling
skb_header_pointer with negative length.

sch_cake: Added doff validation to avoid parsing garbage.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
David S. Miller committed Jun 10, 2021
2 parents d1b5bee + ba91c49 commit 0280f42
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 1 deletion.
2 changes: 2 additions & 0 deletions net/mptcp/options.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb,
length--;
continue;
default:
if (length < 2)
return;
opsize = *ptr++;
if (opsize < 2) /* "silly options" */
return;
Expand Down
5 changes: 5 additions & 0 deletions net/netfilter/nf_synproxy_core.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
int length = (th->doff * 4) - sizeof(*th);
u8 buf[40], *ptr;

if (unlikely(length < 0))
return false;

ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
if (ptr == NULL)
return false;
Expand All @@ -47,6 +50,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
length--;
continue;
default:
if (length < 2)
return true;
opsize = *ptr++;
if (opsize < 2)
return true;
Expand Down
6 changes: 5 additions & 1 deletion net/sched/sch_cake.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -943,7 +943,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb,
}

tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
if (!tcph)
if (!tcph || tcph->doff < 5)
return NULL;

return skb_header_pointer(skb, offset,
Expand All @@ -967,6 +967,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph,
length--;
continue;
}
if (length < 2)
break;
opsize = *ptr++;
if (opsize < 2 || opsize > length)
break;
Expand Down Expand Up @@ -1104,6 +1106,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph,
length--;
continue;
}
if (length < 2)
break;
opsize = *ptr++;
if (opsize < 2 || opsize > length)
break;
Expand Down

0 comments on commit 0280f42

Please sign in to comment.