https://github.com/torvalds/linux
Revision 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC, committed by David S. Miller on 30 May 2019, 19:32:47 UTC
The TCP option parsing routines in tcp_parse_options function could
read one byte out of the buffer of the TCP options.
1 while (length > 0) {
2 int opcode = *ptr++;
3 int opsize;
4
5 switch (opcode) {
6 case TCPOPT_EOL:
7 return;
8 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
9 length--;
10 continue;
11 default:
12 opsize = *ptr++; //out of bound access
If length = 1, then there is an access in line2.
And another access is occurred in line 12.
This would lead to out-of-bound access.
Therefore, in the patch we check that the available data length is
larger enough to pase both TCP option code and size.
Signed-off-by: Young Xiao <92siuyang@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 62851d7
Tip revision: 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
Tip revision: 9609dad
| File | Mode | Size |
|---|---|---|
| Kconfig | -rw-r--r-- | 3.3 KB |
| Makefile | -rw-r--r-- | 459 bytes |
| aops.c | -rw-r--r-- | 52.4 KB |
| aops.h | -rw-r--r-- | 3.9 KB |
| attrib.c | -rw-r--r-- | 89.6 KB |
| attrib.h | -rw-r--r-- | 4.2 KB |
| bitmap.c | -rw-r--r-- | 5.4 KB |
| bitmap.h | -rw-r--r-- | 3.5 KB |
| collate.c | -rw-r--r-- | 3.6 KB |
| collate.h | -rw-r--r-- | 1.7 KB |
| compress.c | -rw-r--r-- | 28.7 KB |
| debug.c | -rw-r--r-- | 4.8 KB |
| debug.h | -rw-r--r-- | 2.3 KB |
| dir.c | -rw-r--r-- | 51.5 KB |
| dir.h | -rw-r--r-- | 1.6 KB |
| endian.h | -rw-r--r-- | 2.2 KB |
| file.c | -rw-r--r-- | 60.6 KB |
| index.c | -rw-r--r-- | 14.8 KB |
| index.h | -rw-r--r-- | 5.5 KB |
| inode.c | -rw-r--r-- | 96.3 KB |
| inode.h | -rw-r--r-- | 11.1 KB |
| layout.h | -rw-r--r-- | 97.0 KB |
| lcnalloc.c | -rw-r--r-- | 32.4 KB |
| lcnalloc.h | -rw-r--r-- | 5.7 KB |
| logfile.c | -rw-r--r-- | 28.2 KB |
| logfile.h | -rw-r--r-- | 13.5 KB |
| malloc.h | -rw-r--r-- | 3.0 KB |
| mft.c | -rw-r--r-- | 99.4 KB |
| mft.h | -rw-r--r-- | 4.0 KB |
| mst.c | -rw-r--r-- | 6.9 KB |
| namei.c | -rw-r--r-- | 14.1 KB |
| ntfs.h | -rw-r--r-- | 5.0 KB |
| quota.c | -rw-r--r-- | 3.6 KB |
| quota.h | -rw-r--r-- | 1.2 KB |
| runlist.c | -rw-r--r-- | 59.5 KB |
| runlist.h | -rw-r--r-- | 3.3 KB |
| super.c | -rw-r--r-- | 99.6 KB |
| sysctl.c | -rw-r--r-- | 2.3 KB |
| sysctl.h | -rw-r--r-- | 1.4 KB |
| time.h | -rw-r--r-- | 3.5 KB |
| types.h | -rw-r--r-- | 2.0 KB |
| unistr.c | -rw-r--r-- | 12.2 KB |
| upcase.c | -rw-r--r-- | 3.8 KB |
| usnjrnl.c | -rw-r--r-- | 2.7 KB |
| usnjrnl.h | -rw-r--r-- | 9.1 KB |
| volume.h | -rw-r--r-- | 6.8 KB |
Computing file changes ...
