netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options · b71ec041cc - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options

commit 644c7e48cb59cfc6988ddc7bf3d3b1ba5fe7fa9d upstream.

Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
the TCP option parsing routines in netfilter TCP connection tracking could
read one byte out of the buffer of the TCP options.  Therefore in the patch
we check that the available data length is large enough to parse both TCP
option code and size.

Reported-by: Baozeng Ding <sploving1@gmail.com>
Tested-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This commit is contained in:

Jozsef Kadlecsik

2016-03-30 11:34:35 +02:00

• committed by

Greg Kroah-Hartman

parent a55ea87f70

commit b71ec041cc

1 changed files with 4 additions and 0 deletions

									
										4

net/netfilter/nf_conntrack_proto_tcp.c
									
										View file
										
				@ -410,6 +410,8 @@ static void tcp_options(const struct sk_buff *skb,

							length--;

							continue;

						default:

							if (length < 2)

								return;

							opsize=*ptr++;

							if (opsize < 2) /* "silly options" */

								return;

				@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,

							length--;

							continue;

						default:

							if (length < 2)

								return;

							opsize = *ptr++;

							if (opsize < 2) /* "silly options" */

								return;