Skip to main content

Browse the archive

https://github.com/torvalds/linux
23 October 2021, 00:29:24 UTC
Revision 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC, committed by David S. Miller on 30 May 2019, 19:32:47 UTC 
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
 
The TCP option parsing routines in tcp_parse_options function could
read one byte out of the buffer of the TCP options.

1         while (length > 0) {
2                 int opcode = *ptr++;
3                 int opsize;
4
5                 switch (opcode) {
6                 case TCPOPT_EOL:
7                         return;
8                 case TCPOPT_NOP:        /* Ref: RFC 793 section 3.1 */
9                         length--;
10                        continue;
11                default:
12                        opsize = *ptr++; //out of bound access

If length = 1, then there is an access in line2.
And another access is occurred in line 12.
This would lead to out-of-bound access.

Therefore, in the patch we check that the available data length is
larger enough to pase both TCP option code and size.

Signed-off-by: Young Xiao <92siuyang@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 62851d7
Raw File
Tip revision: 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
Tip revision: 9609dad
.gitattributes 
*.c   diff=cpp
*.h   diff=cpp
back to top