Google Git
Sign in
kernel/pub/scm/linux/kernel/git/netfilter/nf-next/refs/tags/nf-next-26-01-20
tag
011f2a96793d80b70f2bb2c0b96bc8d5c7582cb0
tagger
Florian Westphal <fw@strlen.de>
Tue Jan 20 16:24:36 2026 +0100
object
735ee8582da3d239eb0c7a53adca61b79fb228b3
netfilter pull request nf-next-26-01-20
commit
735ee8582da3d239eb0c7a53adca61b79fb228b3
[log]
author
Florian Westphal <fw@strlen.de>
Mon Jan 19 12:30:42 2026 +0100
committer
Florian Westphal <fw@strlen.de>
Tue Jan 20 16:23:38 2026 +0100
tree
d54a941765e14fa2e42d75adfb792d513bf93fdd
parent
de8a70cefcb26cdceaafdc5ac144712681419c29 [diff]
netfilter: xt_tcpmss: check remaining length before reading optlen

Quoting reporter:
  In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
 op[i+1] directly without validating the remaining option length.

  If the last byte of the option field is not EOL/NOP (0/1), the code attempts
  to index op[i+1]. In the case where i + 1 == optlen, this causes an
  out-of-bounds read, accessing memory past the optlen boundary
  (either reading beyond the stack buffer _opt or the
  following payload).

Reported-by: sungzii <sungzii@pm.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
1 file changed
tree: d54a941765e14fa2e42d75adfb792d513bf93fdd
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. io_uring/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. rust/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .clippy.toml
  27. .cocciconfig
  28. .editorconfig
  29. .get_maintainer.ignore
  30. .gitattributes
  31. .gitignore
  32. .mailmap
  33. .pylintrc
  34. .rustfmt.toml
  35. COPYING
  36. CREDITS
  37. Kbuild
  38. Kconfig
  39. MAINTAINERS
  40. Makefile
  41. README