https://github.com/torvalds/linux
Revision 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC, committed by David S. Miller on 30 May 2019, 19:32:47 UTC
The TCP option parsing routines in tcp_parse_options function could read one byte out of the buffer of the TCP options. 1 while (length > 0) { 2 int opcode = *ptr++; 3 int opsize; 4 5 switch (opcode) { 6 case TCPOPT_EOL: 7 return; 8 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ 9 length--; 10 continue; 11 default: 12 opsize = *ptr++; //out of bound access If length = 1, then there is an access in line2. And another access is occurred in line 12. This would lead to out-of-bound access. Therefore, in the patch we check that the available data length is larger enough to pase both TCP option code and size. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 62851d7
Tip revision: 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
Tip revision: 9609dad
File | Mode | Size |
---|---|---|
tests | ||
Kconfig | -rw-r--r-- | 3.2 KB |
Makefile | -rw-r--r-- | 1.0 KB |
acl.c | -rw-r--r-- | 3.1 KB |
async-thread.c | -rw-r--r-- | 10.1 KB |
async-thread.h | -rw-r--r-- | 2.6 KB |
backref.c | -rw-r--r-- | 59.4 KB |
backref.h | -rw-r--r-- | 2.3 KB |
btrfs_inode.h | -rw-r--r-- | 9.4 KB |
check-integrity.c | -rw-r--r-- | 93.5 KB |
check-integrity.h | -rw-r--r-- | 704 bytes |
compression.c | -rw-r--r-- | 39.7 KB |
compression.h | -rw-r--r-- | 5.3 KB |
ctree.c | -rw-r--r-- | 151.6 KB |
ctree.h | -rw-r--r-- | 129.4 KB |
dedupe.h | -rw-r--r-- | 232 bytes |
delayed-inode.c | -rw-r--r-- | 50.8 KB |
delayed-inode.h | -rw-r--r-- | 4.2 KB |
delayed-ref.c | -rw-r--r-- | 27.3 KB |
delayed-ref.h | -rw-r--r-- | 10.4 KB |
dev-replace.c | -rw-r--r-- | 31.0 KB |
dev-replace.h | -rw-r--r-- | 828 bytes |
dir-item.c | -rw-r--r-- | 11.4 KB |
disk-io.c | -rw-r--r-- | 124.4 KB |
disk-io.h | -rw-r--r-- | 5.5 KB |
export.c | -rw-r--r-- | 7.6 KB |
export.h | -rw-r--r-- | 341 bytes |
extent-tree.c | -rw-r--r-- | 313.5 KB |
extent_io.c | -rw-r--r-- | 152.2 KB |
extent_io.h | -rw-r--r-- | 18.0 KB |
extent_map.c | -rw-r--r-- | 16.6 KB |
extent_map.h | -rw-r--r-- | 2.7 KB |
file-item.c | -rw-r--r-- | 26.9 KB |
file.c | -rw-r--r-- | 88.0 KB |
free-space-cache.c | -rw-r--r-- | 93.1 KB |
free-space-cache.h | -rw-r--r-- | 4.1 KB |
free-space-tree.c | -rw-r--r-- | 39.7 KB |
free-space-tree.h | -rw-r--r-- | 2.1 KB |
inode-item.c | -rw-r--r-- | 11.3 KB |
inode-map.c | -rw-r--r-- | 14.0 KB |
inode-map.h | -rw-r--r-- | 568 bytes |
inode.c | -rw-r--r-- | 295.2 KB |
ioctl.c | -rw-r--r-- | 139.9 KB |
locking.c | -rw-r--r-- | 9.9 KB |
locking.h | -rw-r--r-- | 1.3 KB |
lzo.c | -rw-r--r-- | 12.5 KB |
math.h | -rw-r--r-- | 487 bytes |
ordered-data.c | -rw-r--r-- | 26.6 KB |
ordered-data.h | -rw-r--r-- | 5.6 KB |
orphan.c | -rw-r--r-- | 1.1 KB |
print-tree.c | -rw-r--r-- | 11.5 KB |
print-tree.h | -rw-r--r-- | 271 bytes |
props.c | -rw-r--r-- | 10.1 KB |
props.h | -rw-r--r-- | 800 bytes |
qgroup.c | -rw-r--r-- | 101.8 KB |
qgroup.h | -rw-r--r-- | 13.6 KB |
raid56.c | -rw-r--r-- | 67.2 KB |
raid56.h | -rw-r--r-- | 1.7 KB |
rcu-string.h | -rw-r--r-- | 998 bytes |
reada.c | -rw-r--r-- | 23.7 KB |
ref-verify.c | -rw-r--r-- | 25.0 KB |
ref-verify.h | -rw-r--r-- | 1.1 KB |
relocation.c | -rw-r--r-- | 114.1 KB |
root-tree.c | -rw-r--r-- | 12.6 KB |
scrub.c | -rw-r--r-- | 106.6 KB |
send.c | -rw-r--r-- | 165.8 KB |
send.h | -rw-r--r-- | 2.4 KB |
struct-funcs.c | -rw-r--r-- | 3.9 KB |
super.c | -rw-r--r-- | 64.4 KB |
sysfs.c | -rw-r--r-- | 24.7 KB |
sysfs.h | -rw-r--r-- | 3.0 KB |
transaction.c | -rw-r--r-- | 65.0 KB |
transaction.h | -rw-r--r-- | 7.1 KB |
tree-checker.c | -rw-r--r-- | 30.1 KB |
tree-checker.h | -rw-r--r-- | 702 bytes |
tree-defrag.c | -rw-r--r-- | 3.6 KB |
tree-log.c | -rw-r--r-- | 172.1 KB |
tree-log.h | -rw-r--r-- | 2.5 KB |
ulist.c | -rw-r--r-- | 6.7 KB |
ulist.h | -rw-r--r-- | 1.9 KB |
uuid-tree.c | -rw-r--r-- | 7.5 KB |
volumes.c | -rw-r--r-- | 205.4 KB |
volumes.h | -rw-r--r-- | 16.5 KB |
xattr.c | -rw-r--r-- | 12.2 KB |
xattr.h | -rw-r--r-- | 804 bytes |
zlib.c | -rw-r--r-- | 10.8 KB |
zstd.c | -rw-r--r-- | 19.0 KB |
Computing file changes ...