Revision - 07718be - mptcp: Fix out of bounds when parsing TCP options

Revision 07718be265680dcf496347d475ce1a5442f55ad7 authored by Maxim Mikityanskiy on 10 June 2021, 16:40:30 UTC, committed by David S. Miller on 10 June 2021, 21:26:18 UTC

mptcp: Fix out of bounds when parsing TCP options

The TCP option parser in mptcp (mptcp_get_options) could read one byte
out of bounds. When the length is 1, the execution flow gets into the
loop, reads one byte of the opcode, and if the opcode is neither
TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the
length of 1.

This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").

Cc: Young Xiao <92siuyang@gmail.com>
Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 parent 5fc177a

Files
Changes

Permalinks

File	Mode	Size
atomic
basic
clang-tools
coccinelle
dtc
dummy-tools
gcc-plugins
gdb
genksyms
kconfig
ksymoops
mod
package
selinux
tracing
.gitignore	-rw-r--r--	160 bytes
Kbuild.include	-rw-r--r--	9.0 KB
Kconfig.include	-rw-r--r--	2.6 KB
Lindent	-rwxr-xr-x	502 bytes
Makefile	-rw-r--r--	1.6 KB
Makefile.asm-generic	-rw-r--r--	1.8 KB
Makefile.build	-rw-r--r--	18.2 KB
Makefile.clean	-rw-r--r--	2.2 KB
Makefile.compiler	-rw-r--r--	2.7 KB
Makefile.dtbinst	-rw-r--r--	999 bytes
Makefile.extrawarn	-rw-r--r--	2.8 KB
Makefile.gcc-plugins	-rw-r--r--	2.5 KB
Makefile.headersinst	-rw-r--r--	2.9 KB
Makefile.host	-rw-r--r--	4.6 KB
Makefile.kasan	-rw-r--r--	1.6 KB
Makefile.kcov	-rw-r--r--	333 bytes
Makefile.kcsan	-rw-r--r--	739 bytes
Makefile.lib	-rw-r--r--	18.3 KB
Makefile.modfinal	-rw-r--r--	3.2 KB
Makefile.modinst	-rw-r--r--	2.4 KB
Makefile.modpost	-rw-r--r--	4.9 KB
Makefile.package	-rw-r--r--	6.6 KB
Makefile.ubsan	-rw-r--r--	837 bytes
Makefile.userprogs	-rw-r--r--	1.6 KB
adjust_autoksyms.sh	-rwxr-xr-x	2.1 KB
as-version.sh	-rwxr-xr-x	2.0 KB
asn1_compiler.c	-rw-r--r--	35.3 KB
bin2c.c	-rw-r--r--	743 bytes
bloat-o-meter	-rwxr-xr-x	3.4 KB
bootgraph.pl	-rwxr-xr-x	5.6 KB
bpf_doc.py	-rwxr-xr-x	24.9 KB
cc-can-link.sh	-rwxr-xr-x	166 bytes
cc-version.sh	-rwxr-xr-x	1.5 KB
check-sysctl-docs	-rwxr-xr-x	4.4 KB
check_extable.sh	-rwxr-xr-x	4.9 KB
checkdeclares.pl	-rw-r--r--	1.1 KB
checkincludes.pl	-rwxr-xr-x	1.9 KB
checkkconfigsymbols.py	-rwxr-xr-x	15.5 KB
checkpatch.pl	-rwxr-xr-x	222.4 KB
checkstack.pl	-rwxr-xr-x	5.9 KB
checksyscalls.sh	-rwxr-xr-x	7.3 KB
checkversion.pl	-rwxr-xr-x	1.9 KB
cleanfile	-rwxr-xr-x	3.5 KB
cleanpatch	-rwxr-xr-x	5.1 KB
coccicheck	-rwxr-xr-x	7.9 KB
config	-rwxr-xr-x	4.7 KB
const_structs.checkpatch	-rw-r--r--	1009 bytes
decode_stacktrace.sh	-rwxr-xr-x	5.2 KB
decodecode	-rwxr-xr-x	2.9 KB
depmod.sh	-rwxr-xr-x	1.4 KB
dev-needs.sh	-rwxr-xr-x	6.1 KB
diffconfig	-rwxr-xr-x	3.7 KB
documentation-file-ref-check	-rwxr-xr-x	5.6 KB
export_report.pl	-rwxr-xr-x	4.5 KB
extract-cert.c	-rw-r--r--	3.5 KB
extract-ikconfig	-rwxr-xr-x	1.7 KB
extract-module-sig.pl	-rwxr-xr-x	3.7 KB
extract-sys-certs.pl	-rwxr-xr-x	3.7 KB
extract-vmlinux	-rwxr-xr-x	1.7 KB
extract_xc3028.pl	-rwxr-xr-x	44.6 KB
faddr2line	-rwxr-xr-x	6.2 KB
file-size.sh	-rwxr-xr-x	86 bytes
find-unused-docs.sh	-rwxr-xr-x	1.3 KB
gcc-goto.sh	-rwxr-xr-x	511 bytes
gcc-ld	-rwxr-xr-x	711 bytes
gcc-x86_32-has-stack-protector.sh	-rwxr-xr-x	408 bytes
gcc-x86_64-has-stack-protector.sh	-rwxr-xr-x	198 bytes
gen_autoksyms.sh	-rwxr-xr-x	2.0 KB
gen_ksymdeps.sh	-rwxr-xr-x	399 bytes
generate_initcall_order.pl	-rwxr-xr-x	5.9 KB
get_abi.pl	-rwxr-xr-x	15.1 KB
get_dvb_firmware	-rwxr-xr-x	24.5 KB
get_feat.pl	-rwxr-xr-x	14.3 KB
get_maintainer.pl	-rwxr-xr-x	67.1 KB
gfp-translate	-rwxr-xr-x	1.7 KB
headerdep.pl	-rwxr-xr-x	3.5 KB
headers_check.pl	-rwxr-xr-x	3.7 KB
headers_install.sh	-rwxr-xr-x	3.4 KB
insert-sys-cert.c	-rw-r--r--	8.9 KB
jobserver-exec	-rwxr-xr-x	2.2 KB
kallsyms.c	-rw-r--r--	18.1 KB
kernel-doc	-rwxr-xr-x	69.0 KB
ld-version.sh	-rwxr-xr-x	1.7 KB
leaking_addresses.pl	-rwxr-xr-x	12.8 KB
link-vmlinux.sh	-rwxr-xr-x	11.1 KB
makelst	-rwxr-xr-x	808 bytes
markup_oops.pl	-rwxr-xr-x	7.9 KB
min-tool-version.sh	-rwxr-xr-x	631 bytes
mkcompile_h	-rwxr-xr-x	2.3 KB
mkmakefile	-rwxr-xr-x	426 bytes
mksysmap	-rwxr-xr-x	1.3 KB
mkuboot.sh	-rwxr-xr-x	414 bytes
module.lds.S	-rw-r--r--	1.5 KB
modules-check.sh	-rwxr-xr-x	427 bytes
nsdeps	-rw-r--r--	1.7 KB
objdiff	-rwxr-xr-x	2.8 KB
parse-maintainers.pl	-rwxr-xr-x	4.5 KB
patch-kernel	-rwxr-xr-x	9.9 KB
profile2linkerlist.pl	-rwxr-xr-x	414 bytes
prune-kernel	-rwxr-xr-x	708 bytes
recordmcount.c	-rw-r--r--	16.7 KB
recordmcount.h	-rw-r--r--	19.3 KB
recordmcount.pl	-rwxr-xr-x	18.7 KB
remove-stale-files	-rwxr-xr-x	1.3 KB
setlocalversion	-rwxr-xr-x	4.7 KB
show_delta	-rwxr-xr-x	3.0 KB
sign-file.c	-rw-r--r--	9.8 KB
sorttable.c	-rw-r--r--	8.7 KB
sorttable.h	-rw-r--r--	9.7 KB
spdxcheck-test.sh	-rw-r--r--	323 bytes
spdxcheck.py	-rwxr-xr-x	10.1 KB
spelling.txt	-rw-r--r--	31.6 KB
sphinx-pre-install	-rwxr-xr-x	21.7 KB
split-man.pl	-rwxr-xr-x	604 bytes
stackdelta	-rwxr-xr-x	1.8 KB
stackusage	-rwxr-xr-x	794 bytes
subarch.include	-rw-r--r--	641 bytes
syscallhdr.sh	-rwxr-xr-x	1.9 KB
syscalltbl.sh	-rwxr-xr-x	1.3 KB
tags.sh	-rwxr-xr-x	9.6 KB
tools-support-relr.sh	-rwxr-xr-x	518 bytes
unifdef.c	-rw-r--r--	34.8 KB
ver_linux	-rwxr-xr-x	2.6 KB
xen-hypercalls.sh	-rw-r--r--	386 bytes
xz_wrap.sh	-rwxr-xr-x	563 bytes

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...