diff options
| author | Florian Westphal <fw@strlen.de> | 2026-01-19 12:30:42 +0100 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2026-03-04 07:21:14 -0500 |
| commit | 8b300f726640c48c3edfe9c453334dd801f4b74e (patch) | |
| tree | 392370ce74ca9be0bc1891d23047c7c29882b77a /net/netfilter | |
| parent | fb0af2fcee1749e18b881b2266dd95c8c83008d7 (diff) | |
| download | linux-8b300f726640c48c3edfe9c453334dd801f4b74e.tar.gz linux-8b300f726640c48c3edfe9c453334dd801f4b74e.tar.bz2 linux-8b300f726640c48c3edfe9c453334dd801f4b74e.zip | |
netfilter: xt_tcpmss: check remaining length before reading optlen
[ Upstream commit 735ee8582da3d239eb0c7a53adca61b79fb228b3 ]
Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.
If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
Reported-by: sungzii <sungzii@pm.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/xt_tcpmss.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c index 37704ab01799..0d32d4841cb3 100644 --- a/net/netfilter/xt_tcpmss.c +++ b/net/netfilter/xt_tcpmss.c @@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) return (mssval >= info->mss_min && mssval <= info->mss_max) ^ info->invert; } - if (op[i] < 2) + if (op[i] < 2 || i == optlen - 1) i++; else i += op[i+1] ? : 1; |