queue-4.4/netfilter-nf_conntrack_tcp-fix-stack-out-of-bounds-when-parsing-tcp-options.patch

   1 From 644c7e48cb59cfc6988ddc7bf3d3b1ba5fe7fa9d Mon Sep 17 00:00:00 2001
   2 From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
   3 Date: Wed, 30 Mar 2016 11:34:35 +0200
   4 Subject: netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
   5
   6 From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
   7
   8 commit 644c7e48cb59cfc6988ddc7bf3d3b1ba5fe7fa9d upstream.
   9
  10 Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
  11 the TCP option parsing routines in netfilter TCP connection tracking could
  12 read one byte out of the buffer of the TCP options.  Therefore in the patch
  13 we check that the available data length is large enough to parse both TCP
  14 option code and size.
  15
  16 Reported-by: Baozeng Ding <sploving1@gmail.com>
  17 Tested-by: Baozeng Ding <sploving1@gmail.com>
  18 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  19 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  20 Cc: Zubin Mithra <zsm@chromium.org>
  21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22
  23 ---
  24  net/netfilter/nf_conntrack_proto_tcp.c |    4 ++++
  25  1 file changed, 4 insertions(+)
  26
  27 --- a/net/netfilter/nf_conntrack_proto_tcp.c
  28 +++ b/net/netfilter/nf_conntrack_proto_tcp.c
  29 @@ -410,6 +410,8 @@ static void tcp_options(const struct sk_
  30                         length--;
  31                         continue;
  32                 default:
  33 +                       if (length < 2)
  34 +                               return;
  35                         opsize=*ptr++;
  36                         if (opsize < 2) /* "silly options" */
  37                                 return;
  38 @@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buf
  39                         length--;
  40                         continue;
  41                 default:
  42 +                       if (length < 2)
  43 +                               return;
  44                         opsize = *ptr++;
  45                         if (opsize < 2) /* "silly options" */
  46                                 return;