netfilter: nf_ct_tcp: fix incorrect handling of invalid TCP option

Michael M. Builov reported that in the tcp_options and tcp_sack functions of netfilter TCP conntrack the incorrect handling of invalid TCP option with too big opsize may lead to read access beyond tcp-packet or buffer allocated on stack (netfilter bugzilla #738). The fix is to stop parsing the options at detecting the broken option. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2011-08-30 09:45:10 -0400
committer: Patrick McHardy <kaber@trash.net> 2011-08-30 09:45:10 -0400
commit: 4a5cc84ae7e19fb7a72a30332ba67af43e0ad1ad (patch)
tree: b6ed9ec59814bfdacbdbd87cd24bccc08c54e5ae /net
parent: 4c6e4209662b2a4147cde16c2144a253a7430a49 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 37bf94394be0..afc4ab7cfe01 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb,
                        if (opsize < 2) /* "silly options" */
                                return;
                        if (opsize > length)
-                                break;  /* don't parse partial options */
+                                return; /* don't parse partial options */
                        if (opcode == TCPOPT_SACK_PERM
                            && opsize == TCPOLEN_SACK_PERM)
@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
                        if (opsize < 2) /* "silly options" */
                                return;
                        if (opsize > length)
-                                break;  /* don't parse partial options */
+                                return; /* don't parse partial options */
                        if (opcode == TCPOPT_SACK
                            && opsize >= (TCPOLEN_SACK_BASE
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2011-08-30 09:45:10 -0400
committer	Patrick McHardy <kaber@trash.net>	2011-08-30 09:45:10 -0400
commit	4a5cc84ae7e19fb7a72a30332ba67af43e0ad1ad (patch)
tree	b6ed9ec59814bfdacbdbd87cd24bccc08c54e5ae /net
parent	4c6e4209662b2a4147cde16c2144a253a7430a49 (diff)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 37bf94394be0..afc4ab7cfe01 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -409,7 +409,7 @@ static void tcp_options(const struct sk_buff *skb,
409	if (opsize < 2) /* "silly options" */	409	if (opsize < 2) /* "silly options" */
410	return;	410	return;
411	if (opsize > length)	411	if (opsize > length)
412	break; /* don't parse partial options */	412	return; /* don't parse partial options */
413		413
414	if (opcode == TCPOPT_SACK_PERM	414	if (opcode == TCPOPT_SACK_PERM
415	&& opsize == TCPOLEN_SACK_PERM)	415	&& opsize == TCPOLEN_SACK_PERM)
@@ -469,7 +469,7 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
469	if (opsize < 2) /* "silly options" */	469	if (opsize < 2) /* "silly options" */
470	return;	470	return;
471	if (opsize > length)	471	if (opsize > length)
472	break; /* don't parse partial options */	472	return; /* don't parse partial options */
473		473
474	if (opcode == TCPOPT_SACK	474	if (opcode == TCPOPT_SACK
475	&& opsize >= (TCPOLEN_SACK_BASE	475	&& opsize >= (TCPOLEN_SACK_BASE