https://github.com/torvalds/linux
Revision 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC, committed by David S. Miller on 30 May 2019, 19:32:47 UTC
The TCP option parsing routines in tcp_parse_options function could read one byte out of the buffer of the TCP options. 1 while (length > 0) { 2 int opcode = *ptr++; 3 int opsize; 4 5 switch (opcode) { 6 case TCPOPT_EOL: 7 return; 8 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ 9 length--; 10 continue; 11 default: 12 opsize = *ptr++; //out of bound access If length = 1, then there is an access in line2. And another access is occurred in line 12. This would lead to out-of-bound access. Therefore, in the patch we check that the available data length is larger enough to pase both TCP option code and size. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 62851d7
Tip revision: 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
Tip revision: 9609dad
File | Mode | Size |
---|---|---|
Documentation | ||
LICENSES | ||
arch | ||
block | ||
certs | ||
crypto | ||
drivers | ||
fs | ||
include | ||
init | ||
ipc | ||
kernel | ||
lib | ||
mm | ||
net | ||
samples | ||
scripts | ||
security | ||
sound | ||
tools | ||
usr | ||
virt | ||
.clang-format | -rw-r--r-- | 14.6 KB |
.cocciconfig | -rw-r--r-- | 59 bytes |
.get_maintainer.ignore | -rw-r--r-- | 71 bytes |
.gitattributes | -rw-r--r-- | 30 bytes |
.gitignore | -rw-r--r-- | 1.6 KB |
.mailmap | -rw-r--r-- | 11.9 KB |
COPYING | -rw-r--r-- | 423 bytes |
CREDITS | -rw-r--r-- | 96.9 KB |
Kbuild | -rw-r--r-- | 1.5 KB |
Kconfig | -rw-r--r-- | 563 bytes |
MAINTAINERS | -rw-r--r-- | 499.0 KB |
Makefile | -rw-r--r-- | 58.8 KB |
README | -rw-r--r-- | 727 bytes |
Computing file changes ...