Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4a5cc84a authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik Committed by Patrick McHardy
Browse files

netfilter: nf_ct_tcp: fix incorrect handling of invalid TCP option 



Michael M. Builov reported that in the tcp_options and tcp_sack functions
of netfilter TCP conntrack the incorrect handling of invalid TCP option
with too big opsize may lead to read access beyond tcp-packet or buffer
allocated on stack (netfilter bugzilla #738). The fix is to stop parsing
the options at detecting the broken option.

Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 4c6e4209

net/netfilter/nf_conntrack_proto_tcp.c

+2 −2
Original line number Original line Diff line number Diff line
@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb, 
			if (opsize < 2) /* "silly options" */

			if (opsize < 2) /* "silly options" */

				return;

				return;

			if (opsize > length)

			if (opsize > length)

				break;	/* don't parse partial options */

				return;	/* don't parse partial options */





			if (opcode == TCPOPT_SACK_PERM

			if (opcode == TCPOPT_SACK_PERM

			    && opsize == TCPOLEN_SACK_PERM)

			    && opsize == TCPOLEN_SACK_PERM)
@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, 
			if (opsize < 2) /* "silly options" */

			if (opsize < 2) /* "silly options" */

				return;

				return;

			if (opsize > length)

			if (opsize > length)

				break;	/* don't parse partial options */

				return;	/* don't parse partial options */





			if (opcode == TCPOPT_SACK

			if (opcode == TCPOPT_SACK

			    && opsize >= (TCPOLEN_SACK_BASE

			    && opsize >= (TCPOLEN_SACK_BASE