| From 2638fd0f92d4397884fd991d8f4925cb3f081901 Mon Sep 17 00:00:00 2001 |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Mon, 3 Apr 2017 10:55:11 -0700 |
| Subject: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff |
| |
| From: Eric Dumazet <edumazet@google.com> |
| |
| commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream. |
| |
| Denys provided an awesome KASAN report pointing to an use |
| after free in xt_TCPMSS |
| |
| I have provided three patches to fix this issue, either in xt_TCPMSS or |
| in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible |
| impact. |
| |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/netfilter/xt_TCPMSS.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| --- a/net/netfilter/xt_TCPMSS.c |
| +++ b/net/netfilter/xt_TCPMSS.c |
| @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb |
| tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); |
| tcp_hdrlen = tcph->doff * 4; |
| |
| - if (len < tcp_hdrlen) |
| + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) |
| return -1; |
| |
| if (info->mss == XT_TCPMSS_CLAMP_PMTU) { |
| @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb |
| if (len > tcp_hdrlen) |
| return 0; |
| |
| + /* tcph->doff has 4 bits, do not wrap it to 0 */ |
| + if (tcp_hdrlen >= 15 * 4) |
| + return 0; |
| + |
| /* |
| * MSS Option not found ?! add it.. |
| */ |
