All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/1] netfilter TCP conntrack option parser fix
@ 2016-03-30  9:34 Jozsef Kadlecsik
  2016-03-30  9:34 ` [PATCH 1/1] net: netfilter: Fix stack out of bounds when parsing TCP options Jozsef Kadlecsik
  0 siblings, 1 reply; 3+ messages in thread
From: Jozsef Kadlecsik @ 2016-03-30  9:34 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Pablo Neira Ayuso

Hi Pablo,

Please consider applying the next patch for the stable branches. It fixes
a one byte read after the buffer issue discovered by Baozeng Ding.

The following changes since commit 29421198c3a860092e27c2ad8499dfe603398817:

  netfilter: ipv4: fix NULL dereference (2016-03-28 17:59:29 +0200)

are available in the git repository at:

  git://blackhole.kfki.hu/nf master

for you to fetch changes up to becfb96a8663e3884d78c23ab747df3fe4e1e50d:

  net: netfilter: Fix stack out of bounds when parsing TCP options (2016-03-29 11:44:13 +0200)

----------------------------------------------------------------
Jozsef Kadlecsik (1):
      net: netfilter: Fix stack out of bounds when parsing TCP options

 net/netfilter/nf_conntrack_proto_tcp.c | 4 ++++
 1 file changed, 4 insertions(+)

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 1/1] net: netfilter: Fix stack out of bounds when parsing TCP options
  2016-03-30  9:34 [PATCH 0/1] netfilter TCP conntrack option parser fix Jozsef Kadlecsik
@ 2016-03-30  9:34 ` Jozsef Kadlecsik
  2016-04-07 16:43   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Jozsef Kadlecsik @ 2016-03-30  9:34 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Pablo Neira Ayuso

Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
the TCP option parsing routines in netfilter TCP connection tracking could
read one byte out of the buffer of the TCP options.  Therefore in the patch
we check that the available data length is large enough to parse both TCP
option code and size.

Reported-by: Baozeng Ding <sploving1@gmail.com>
Tested-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 net/netfilter/nf_conntrack_proto_tcp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 278f3b9..7cc1d9c 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -410,6 +410,8 @@ static void tcp_options(const struct sk_buff *skb,
 			length--;
 			continue;
 		default:
+			if (length < 2)
+				return;
 			opsize=*ptr++;
 			if (opsize < 2) /* "silly options" */
 				return;
@@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
 			length--;
 			continue;
 		default:
+			if (length < 2)
+				return;
 			opsize = *ptr++;
 			if (opsize < 2) /* "silly options" */
 				return;
-- 
1.8.5.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] net: netfilter: Fix stack out of bounds when parsing TCP options
  2016-03-30  9:34 ` [PATCH 1/1] net: netfilter: Fix stack out of bounds when parsing TCP options Jozsef Kadlecsik
@ 2016-04-07 16:43   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-04-07 16:43 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter-devel

On Wed, Mar 30, 2016 at 11:34:35AM +0200, Jozsef Kadlecsik wrote:
> Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
> the TCP option parsing routines in netfilter TCP connection tracking could
> read one byte out of the buffer of the TCP options.  Therefore in the patch
> we check that the available data length is large enough to parse both TCP
> option code and size.

Applied, thanks Jozsef.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-04-07 16:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-30  9:34 [PATCH 0/1] netfilter TCP conntrack option parser fix Jozsef Kadlecsik
2016-03-30  9:34 ` [PATCH 1/1] net: netfilter: Fix stack out of bounds when parsing TCP options Jozsef Kadlecsik
2016-04-07 16:43   ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.