Commit 4ccd8953 authored by David S. Miller's avatar David S. Miller

[NETFILTER]: Fix tcp_find_option() bug properly.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 4dadf5b5
...@@ -1464,8 +1464,11 @@ tcp_find_option(u_int8_t option, ...@@ -1464,8 +1464,11 @@ tcp_find_option(u_int8_t option,
unsigned int i; unsigned int i;
duprintf("tcp_match: finding option\n"); duprintf("tcp_match: finding option\n");
if (!optlen)
return invert;
/* If we don't have the whole header, drop packet. */ /* If we don't have the whole header, drop packet. */
BUG_ON(!optlen);
op = skb_header_pointer(skb, op = skb_header_pointer(skb,
skb->nh.iph->ihl*4 + sizeof(struct tcphdr), skb->nh.iph->ihl*4 + sizeof(struct tcphdr),
optlen, _opt); optlen, _opt);
...@@ -1534,7 +1537,7 @@ tcp_match(const struct sk_buff *skb, ...@@ -1534,7 +1537,7 @@ tcp_match(const struct sk_buff *skb,
IPT_TCP_INV_FLAGS)) IPT_TCP_INV_FLAGS))
return 0; return 0;
if (tcpinfo->option) { if (tcpinfo->option) {
if (th->doff * 4 <= sizeof(_tcph)) { if (th->doff * 4 < sizeof(_tcph)) {
*hotdrop = 1; *hotdrop = 1;
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment