Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2338563c authored by Eric Dumazet's avatar Eric Dumazet Committed by Usaamah Patel
Browse files

CVE-2017-18017: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff 



Denys provided an awesome KASAN report pointing to an use
after free in xt_TCPMSS

I have provided three patches to fix this issue, either in xt_TCPMSS or
in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
impact.

Change-Id: Ia2a0983db2d48aaa918957507163c34e4fd6860e
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reported-by: default avatarDenys Fedoryshchenko <nuclearcat@nuclearcat.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent fb446be9

net/netfilter/xt_TCPMSS.c

+7 −1
Original line number Diff line number Diff line
@@ -53,6 +53,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, 
	const struct xt_tcpmss_info *info = par->targinfo;

	struct tcphdr *tcph;

	unsigned int tcplen, i;

	int tcphlen;

	__be16 oldval;

	u16 newmss;

	u8 *opt;
@@ -66,9 +67,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, 


	tcplen = skb->len - tcphoff;

	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);

	tcphlen = tcph->doff * 4;



	/* Header cannot be larger than the packet */

	if (tcplen < tcph->doff*4)

	if (tcplen < tcphlen || tcphlen < sizeof(struct tcphdr))

		return -1;



	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -117,6 +119,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, 
	if (tcplen > tcph->doff*4)

		return 0;



	/* tcph->doff has 4 bits, do not wrap it to 0 */

	if (tcphlen >= 15 * 4)

		return 0;



	/*

	 * MSS Option not found ?! add it..

	 */