Commit 9609dad2 authored by Young Xiao's avatar Young Xiao Committed by David S. Miller

ipv4: tcp_input: fix stack out of bounds when parsing TCP options.

The TCP option parsing routines in tcp_parse_options function could
read one byte out of the buffer of the TCP options.

1         while (length > 0) {
2                 int opcode = *ptr++;
3                 int opsize;
4
5                 switch (opcode) {
6                 case TCPOPT_EOL:
7                         return;
8                 case TCPOPT_NOP:        /* Ref: RFC 793 section 3.1 */
9                         length--;
10                        continue;
11                default:
12                        opsize = *ptr++; //out of bound access

If length = 1, then there is an access in line2.
And another access is occurred in line 12.
This would lead to out-of-bound access.

Therefore, in the patch we check that the available data length is
larger enough to pase both TCP option code and size.
Signed-off-by: default avatarYoung Xiao <92siuyang@gmail.com>
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 62851d71
...@@ -3791,6 +3791,8 @@ void tcp_parse_options(const struct net *net, ...@@ -3791,6 +3791,8 @@ void tcp_parse_options(const struct net *net,
length--; length--;
continue; continue;
default: default:
if (length < 2)
return;
opsize = *ptr++; opsize = *ptr++;
if (opsize < 2) /* "silly options" */ if (opsize < 2) /* "silly options" */
return; return;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment