]>
Commit | Line | Data |
---|---|---|
5e077f5d GKH |
1 | From 2638fd0f92d4397884fd991d8f4925cb3f081901 Mon Sep 17 00:00:00 2001 |
2 | From: Eric Dumazet <edumazet@google.com> | |
3 | Date: Mon, 3 Apr 2017 10:55:11 -0700 | |
4 | Subject: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff | |
5 | ||
6 | From: Eric Dumazet <edumazet@google.com> | |
7 | ||
8 | commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream. | |
9 | ||
10 | Denys provided an awesome KASAN report pointing to an use | |
11 | after free in xt_TCPMSS | |
12 | ||
13 | I have provided three patches to fix this issue, either in xt_TCPMSS or | |
14 | in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible | |
15 | impact. | |
16 | ||
17 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
18 | Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> | |
19 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | |
20 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
21 | ||
22 | --- | |
23 | net/netfilter/xt_TCPMSS.c | 6 +++++- | |
24 | 1 file changed, 5 insertions(+), 1 deletion(-) | |
25 | ||
26 | --- a/net/netfilter/xt_TCPMSS.c | |
27 | +++ b/net/netfilter/xt_TCPMSS.c | |
28 | @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb | |
29 | tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); | |
30 | tcp_hdrlen = tcph->doff * 4; | |
31 | ||
32 | - if (len < tcp_hdrlen) | |
33 | + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) | |
34 | return -1; | |
35 | ||
36 | if (info->mss == XT_TCPMSS_CLAMP_PMTU) { | |
37 | @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb | |
38 | if (len > tcp_hdrlen) | |
39 | return 0; | |
40 | ||
41 | + /* tcph->doff has 4 bits, do not wrap it to 0 */ | |
42 | + if (tcp_hdrlen >= 15 * 4) | |
43 | + return 0; | |
44 | + | |
45 | /* | |
46 | * MSS Option not found ?! add it.. | |
47 | */ |