--- /dev/null
+From 644c7e48cb59cfc6988ddc7bf3d3b1ba5fe7fa9d Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Wed, 30 Mar 2016 11:34:35 +0200
+Subject: netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 644c7e48cb59cfc6988ddc7bf3d3b1ba5fe7fa9d upstream.
+
+Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
+the TCP option parsing routines in netfilter TCP connection tracking could
+read one byte out of the buffer of the TCP options. Therefore in the patch
+we check that the available data length is large enough to parse both TCP
+option code and size.
+
+Reported-by: Baozeng Ding <sploving1@gmail.com>
+Tested-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -410,6 +410,8 @@ static void tcp_options(const struct sk_
+ length--;
+ continue;
+ default:
++ if (length < 2)
++ return;
+ opsize=*ptr++;
+ if (opsize < 2) /* "silly options" */
+ return;
+@@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buf
+ length--;
+ continue;
+ default:
++ if (length < 2)
++ return;
+ opsize = *ptr++;
+ if (opsize < 2) /* "silly options" */
+ return;
netfilter-x_tables-enforce-nul-terminated-table-name-from-getsockopt-get_entries.patch
netfilter-nfnetlink_log-just-returns-error-for-unknown-command.patch
netfilter-nfnetlink_acct-validate-nfacct_filter-parameters.patch
+netfilter-nf_conntrack_tcp-fix-stack-out-of-bounds-when-parsing-tcp-options.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
