Skip to main content

Browse the archive

Revision 07718be265680dcf496347d475ce1a5442f55ad7 authored by Maxim Mikityanskiy on 10 June 2021, 16:40:30 UTC, committed by David S. Miller on 10 June 2021, 21:26:18 UTC 
mptcp: Fix out of bounds when parsing TCP options
 
The TCP option parser in mptcp (mptcp_get_options) could read one byte
out of bounds. When the length is 1, the execution flow gets into the
loop, reads one byte of the opcode, and if the opcode is neither
TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the
length of 1.

This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").

Cc: Young Xiao <92siuyang@gmail.com>
Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 5fc177a
Raw File
mpi-cmp.c 
/* mpi-cmp.c  -  MPI functions
 * Copyright (C) 1998, 1999 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
 * GnuPG is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * GnuPG is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
 */

#include "mpi-internal.h"

int mpi_cmp_ui(MPI u, unsigned long v)
{
	mpi_limb_t limb = v;

	mpi_normalize(u);
	if (!u->nlimbs && !limb)
		return 0;
	if (u->sign)
		return -1;
	if (u->nlimbs > 1)
		return 1;

	if (u->d[0] == limb)
		return 0;
	else if (u->d[0] > limb)
		return 1;
	else
		return -1;
}
EXPORT_SYMBOL_GPL(mpi_cmp_ui);

static int do_mpi_cmp(MPI u, MPI v, int absmode)
{
	mpi_size_t usize;
	mpi_size_t vsize;
	int usign;
	int vsign;
	int cmp;

	mpi_normalize(u);
	mpi_normalize(v);

	usize = u->nlimbs;
	vsize = v->nlimbs;
	usign = absmode ? 0 : u->sign;
	vsign = absmode ? 0 : v->sign;

	/* Compare sign bits.  */

	if (!usign && vsign)
		return 1;
	if (usign && !vsign)
		return -1;

	/* U and V are either both positive or both negative.  */

	if (usize != vsize && !usign && !vsign)
		return usize - vsize;
	if (usize != vsize && usign && vsign)
		return vsize + usize;
	if (!usize)
		return 0;
	cmp = mpihelp_cmp(u->d, v->d, usize);
	if (!cmp)
		return 0;
	if ((cmp < 0?1:0) == (usign?1:0))
		return 1;

	return -1;
}

int mpi_cmp(MPI u, MPI v)
{
	return do_mpi_cmp(u, v, 0);
}
EXPORT_SYMBOL_GPL(mpi_cmp);

int mpi_cmpabs(MPI u, MPI v)
{
	return do_mpi_cmp(u, v, 1);
}
EXPORT_SYMBOL_GPL(mpi_cmpabs);
back to top