[NETFILTER]: Fix signedness overflow in ip{,6}_tables.c

Bug discovered by Olaf Kirch.

[NETFILTER]: Fix signedness overflow in ip{,6}_tables.c
Bug discovered by Olaf Kirch.
1fbe8eb8 · Hideaki Yoshifuji · 9dc49036 · 1fbe8eb8 · 1fbe8eb8
Commit 1fbe8eb8 authored Feb 16, 2004 by Hideaki Yoshifuji
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 6 deletions

net/ipv4/netfilter/ip_tables.c net/ipv4/netfilter/ip_tables.c +10 -5

net/ipv6/netfilter/ip6_tables.c net/ipv6/netfilter/ip6_tables.c +2 -1

No files found.
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1529,11 +1529,16 @@ tcp_match(const struct sk_buff *skb,
 		      == tcpinfo->flg_cmp,
 		      IPT_TCP_INV_FLAGS))
 		return 0;
-	if (tcpinfo->option &&
-	    !tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
-			     tcpinfo->invflags & IPT_TCP_INV_OPTION,
-			     hotdrop))
-		return 0;
+	if (tcpinfo->option) {
+		if (tcph.doff * 4 < sizeof(tcph)) {
+			*hotdrop = 1;
+			return 0;
+		}
+		if (!tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
+				     tcpinfo->invflags & IPT_TCP_INV_OPTION,
+				     hotdrop))
+			return 0;
+	}
 	return 1;
 }


--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1545,7 +1545,8 @@ tcp_find_option(u_int8_t option,

 	duprintf("tcp_match: finding option\n");
 	/* If we don't have the whole header, drop packet. */
-	if (tcp->doff * 4 > datalen) {
+	if (tcp->doff * 4 < sizeof(struct tcphdr) ||
+	    tcp->doff * 4 > datalen) {
 		*hotdrop = 1;
 		return 0;
 	}