netfilter: xt_tcpmss: check remaining length before reading optlen

Florian Westphal · Sasha Levin · commit eaedc0bc18be · 2026-03-04T07:20:27.000-05:00
[ Upstream commit 735ee85 ] Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). Reported-by: sungzii <sungzii@pm.me> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
@@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
 			return (mssval >= info->mss_min &&
 				mssval <= info->mss_max) ^ info->invert;
 		}
-		if (op[i] < 2)
+		if (op[i] < 2 || i == optlen - 1)
 			i++;
 		else
 			i += op[i+1] ? : 1;

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff skb, struct xt_action_param par)`
`61`	`61`	`return (mssval >= info->mss_min &&`
`62`	`62`	`mssval <= info->mss_max) ^ info->invert;`
`63`	`63`	`}`
`64`		`- if (op[i] < 2)`
	`64`	`+ if (op[i] < 2 \|\| i == optlen - 1)`
`65`	`65`	`i++;`
`66`	`66`	`else`
`67`	`67`	`i += op[i+1] ? : 1;`