[thirdparty/kernel/stable-queue.git] / releases / 3.18.60 / netfilter-xt_tcpmss-add-more-sanity-tests-on-tcph-doff.patch

From 2638fd0f92d4397884fd991d8f4925cb3f081901 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Mon, 3 Apr 2017 10:55:11 -0700
Subject: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

From: Eric Dumazet <edumazet@google.com>

commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream.

Denys provided an awesome KASAN report pointing to an use
after free in xt_TCPMSS

I have provided three patches to fix this issue, either in xt_TCPMSS or
in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
impact.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/xt_TCPMSS.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb
 	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
 	tcp_hdrlen = tcph->doff * 4;
 
-	if (len < tcp_hdrlen)
+	if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
 		return -1;
 
 	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb
 	if (len > tcp_hdrlen)
 		return 0;
 
+	/* tcph->doff has 4 bits, do not wrap it to 0 */
+	if (tcp_hdrlen >= 15 * 4)
+		return 0;
+
 	/*
 	 * MSS Option not found ?! add it..
 	 */
Commit	Line	Data
5e077f5d GKH	1	From 2638fd0f92d4397884fd991d8f4925cb3f081901 Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Mon, 3 Apr 2017 10:55:11 -0700
	4	Subject: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
	5
	6	From: Eric Dumazet <edumazet@google.com>
	7
	8	commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream.
	9
	10	Denys provided an awesome KASAN report pointing to an use
	11	after free in xt_TCPMSS
	12
	13	I have provided three patches to fix this issue, either in xt_TCPMSS or
	14	in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
	15	impact.
	16
	17	Signed-off-by: Eric Dumazet <edumazet@google.com>
	18	Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
	19	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	net/netfilter/xt_TCPMSS.c \| 6 +++++-
	24	1 file changed, 5 insertions(+), 1 deletion(-)
	25
	26	--- a/net/netfilter/xt_TCPMSS.c
	27	+++ b/net/netfilter/xt_TCPMSS.c
	28	@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb
	29	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
	30	tcp_hdrlen = tcph->doff * 4;
	31
	32	- if (len < tcp_hdrlen)
	33	+ if (len < tcp_hdrlen \|\| tcp_hdrlen < sizeof(struct tcphdr))
	34	return -1;
	35
	36	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
	37	@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb
	38	if (len > tcp_hdrlen)
	39	return 0;
	40
	41	+ /* tcph->doff has 4 bits, do not wrap it to 0 */
	42	+ if (tcp_hdrlen >= 15 * 4)
	43	+ return 0;
	44	+
	45	/*
	46	* MSS Option not found ?! add it..
	47	*/