forked from Minki/linux
netfilter: nf_ct_tcp: fix incorrect handling of invalid TCP option
Michael M. Builov reported that in the tcp_options and tcp_sack functions of netfilter TCP conntrack the incorrect handling of invalid TCP option with too big opsize may lead to read access beyond tcp-packet or buffer allocated on stack (netfilter bugzilla #738). The fix is to stop parsing the options at detecting the broken option. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
4c6e420966
commit
4a5cc84ae7
@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb,
|
||||
if (opsize < 2) /* "silly options" */
|
||||
return;
|
||||
if (opsize > length)
|
||||
break; /* don't parse partial options */
|
||||
return; /* don't parse partial options */
|
||||
|
||||
if (opcode == TCPOPT_SACK_PERM
|
||||
&& opsize == TCPOLEN_SACK_PERM)
|
||||
@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
|
||||
if (opsize < 2) /* "silly options" */
|
||||
return;
|
||||
if (opsize > length)
|
||||
break; /* don't parse partial options */
|
||||
return; /* don't parse partial options */
|
||||
|
||||
if (opcode == TCPOPT_SACK
|
||||
&& opsize >= (TCPOLEN_SACK_BASE
|
||||
|
Loading…
Reference in New Issue
Block a user