netfilter: nf_ct_tcp: fix incorrect handling of invalid TCP option

Michael M. Builov reported that in the tcp_options and tcp_sack functions of netfilter TCP conntrack the incorrect handling of invalid TCP option with too big opsize may lead to read access beyond tcp-packet or buffer allocated on stack (netfilter bugzilla #738). The fix is to stop parsing the options at detecting the broken option. Signed-off-by: N Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: N Patrick McHardy <kaber@trash.net>

netfilter: nf_ct_tcp: fix incorrect handling of invalid TCP option
Michael M. Builov reported that in the tcp_options and tcp_sack functions of netfilter TCP conntrack the incorrect handling of invalid TCP option with too big opsize may lead to read access beyond tcp-packet or buffer allocated on stack (netfilter bugzilla #738). The fix is to stop parsing the options at detecting the broken option. Signed-off-by: N Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: N Patrick McHardy <kaber@trash.net>
4a5cc84a · Jozsef Kadlecsik · Patrick McHardy · 4c6e4209 · 4a5cc84a
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

net/netfilter/nf_conntrack_proto_tcp.c net/netfilter/nf_conntrack_proto_tcp.c +2 -2

未找到文件。
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb,
 			if (opsize < 2) /* "silly options" */
 				return;
 			if (opsize > length)
-				break;	/* don't parse partial options */
+				return;	/* don't parse partial options */

 			if (opcode == TCPOPT_SACK_PERM
 			    && opsize == TCPOLEN_SACK_PERM)
@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
 			if (opsize < 2) /* "silly options" */
 				return;
 			if (opsize > length)
-				break;	/* don't parse partial options */
+				return;	/* don't parse partial options */

 			if (opcode == TCPOPT_SACK
 			    && opsize >= (TCPOLEN_SACK_BASE