Skip to content

Commit 2638fd0

Browse files
Eric Dumazetummakynes
Eric Dumazet
authored andcommitted
netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 0b9aefe commit 2638fd0

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

Diff for: net/netfilter/xt_TCPMSS.c

+5-1
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
104104
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
105105
tcp_hdrlen = tcph->doff * 4;
106106

107-
if (len < tcp_hdrlen)
107+
if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
108108
return -1;
109109

110110
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -152,6 +152,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
152152
if (len > tcp_hdrlen)
153153
return 0;
154154

155+
/* tcph->doff has 4 bits, do not wrap it to 0 */
156+
if (tcp_hdrlen >= 15 * 4)
157+
return 0;
158+
155159
/*
156160
* MSS Option not found ?! add it..
157161
*/

0 commit comments

Comments
 (0)