Skip to content

Commit

Permalink
netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP…
Browse files Browse the repository at this point in the history 
… options

Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
the TCP option parsing routines in netfilter TCP connection tracking could
read one byte out of the buffer of the TCP options.  Therefore in the patch
we check that the available data length is large enough to parse both TCP
option code and size.

Reported-by: Baozeng Ding <sploving1@gmail.com>
Tested-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  • Loading branch information
Jozsef Kadlecsik authored and Pablo Neira Ayuso committed Apr 7, 2016
1 parent ff76def commit 644c7e4
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions net/netfilter/nf_conntrack_proto_tcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,8 @@ static void tcp_options(const struct sk_buff *skb,
length--;
continue;
default:
if (length < 2)
return;
opsize=*ptr++;
if (opsize < 2) /* "silly options" */
return;
Expand Down Expand Up @@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
length--;
continue;
default:
if (length < 2)
return;
opsize = *ptr++;
if (opsize < 2) /* "silly options" */
return;
Expand Down

0 comments on commit 644c7e4

Please sign in to comment.