From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 12 Mar 2019 21:23:18 +0000 (-0700)
Subject: 4.4-stable patches
X-Git-Tag: v5.0.2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=705d27db02be1dd064fbe8b242e0bb0535345e06;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	netfilter-nf_conntrack_tcp-fix-stack-out-of-bounds-when-parsing-tcp-options.patch
---

diff --git a/queue-4.4/netfilter-nf_conntrack_tcp-fix-stack-out-of-bounds-when-parsing-tcp-options.patch b/queue-4.4/netfilter-nf_conntrack_tcp-fix-stack-out-of-bounds-when-parsing-tcp-options.patch
new file mode 100644
index 00000000000..c92c1b262ed
--- /dev/null
+++ b/queue-4.4/netfilter-nf_conntrack_tcp-fix-stack-out-of-bounds-when-parsing-tcp-options.patch
@@ -0,0 +1,46 @@
+From 644c7e48cb59cfc6988ddc7bf3d3b1ba5fe7fa9d Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Wed, 30 Mar 2016 11:34:35 +0200
+Subject: netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 644c7e48cb59cfc6988ddc7bf3d3b1ba5fe7fa9d upstream.
+
+Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
+the TCP option parsing routines in netfilter TCP connection tracking could
+read one byte out of the buffer of the TCP options.  Therefore in the patch
+we check that the available data length is large enough to parse both TCP
+option code and size.
+
+Reported-by: Baozeng Ding <sploving1@gmail.com>
+Tested-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -410,6 +410,8 @@ static void tcp_options(const struct sk_
+ 			length--;
+ 			continue;
+ 		default:
++			if (length < 2)
++				return;
+ 			opsize=*ptr++;
+ 			if (opsize < 2) /* "silly options" */
+ 				return;
+@@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buf
+ 			length--;
+ 			continue;
+ 		default:
++			if (length < 2)
++				return;
+ 			opsize = *ptr++;
+ 			if (opsize < 2) /* "silly options" */
+ 				return;
diff --git a/queue-4.4/series b/queue-4.4/series
index 84a34bad41b..cfc8207370a 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -122,3 +122,4 @@ udplite-call-proper-backlog-handlers.patch
 netfilter-x_tables-enforce-nul-terminated-table-name-from-getsockopt-get_entries.patch
 netfilter-nfnetlink_log-just-returns-error-for-unknown-command.patch
 netfilter-nfnetlink_acct-validate-nfacct_filter-parameters.patch
+netfilter-nf_conntrack_tcp-fix-stack-out-of-bounds-when-parsing-tcp-options.patch