https://github.com/torvalds/linux
Revision 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC, committed by David S. Miller on 30 May 2019, 19:32:47 UTC
The TCP option parsing routines in tcp_parse_options function could read one byte out of the buffer of the TCP options. 1 while (length > 0) { 2 int opcode = *ptr++; 3 int opsize; 4 5 switch (opcode) { 6 case TCPOPT_EOL: 7 return; 8 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ 9 length--; 10 continue; 11 default: 12 opsize = *ptr++; //out of bound access If length = 1, then there is an access in line2. And another access is occurred in line 12. This would lead to out-of-bound access. Therefore, in the patch we check that the available data length is larger enough to pase both TCP option code and size. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 62851d7
Tip revision: 9609dad263f8bea347f41fddca29353dbf8a7d37 authored by Young Xiao on 29 May 2019, 08:10:59 UTC
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
Tip revision: 9609dad
File | Mode | Size |
---|---|---|
9p | ||
adfs | ||
affs | ||
afs | ||
autofs | ||
befs | ||
bfs | ||
btrfs | ||
cachefiles | ||
ceph | ||
cifs | ||
coda | ||
configfs | ||
cramfs | ||
crypto | ||
debugfs | ||
devpts | ||
dlm | ||
ecryptfs | ||
efivarfs | ||
efs | ||
exportfs | ||
ext2 | ||
ext4 | ||
f2fs | ||
fat | ||
freevxfs | ||
fscache | ||
fuse | ||
gfs2 | ||
hfs | ||
hfsplus | ||
hostfs | ||
hpfs | ||
hugetlbfs | ||
isofs | ||
jbd2 | ||
jffs2 | ||
jfs | ||
kernfs | ||
lockd | ||
minix | ||
nfs | ||
nfs_common | ||
nfsd | ||
nilfs2 | ||
nls | ||
notify | ||
ntfs | ||
ocfs2 | ||
omfs | ||
openpromfs | ||
orangefs | ||
overlayfs | ||
proc | ||
pstore | ||
qnx4 | ||
qnx6 | ||
quota | ||
ramfs | ||
reiserfs | ||
romfs | ||
squashfs | ||
sysfs | ||
sysv | ||
tracefs | ||
ubifs | ||
udf | ||
ufs | ||
unicode | ||
xfs | ||
Kconfig | -rw-r--r-- | 7.6 KB |
Kconfig.binfmt | -rw-r--r-- | 7.2 KB |
Makefile | -rw-r--r-- | 4.3 KB |
aio.c | -rw-r--r-- | 56.1 KB |
anon_inodes.c | -rw-r--r-- | 4.5 KB |
attr.c | -rw-r--r-- | 9.7 KB |
bad_inode.c | -rw-r--r-- | 5.3 KB |
binfmt_aout.c | -rw-r--r-- | 8.3 KB |
binfmt_elf.c | -rw-r--r-- | 63.8 KB |
binfmt_elf_fdpic.c | -rw-r--r-- | 47.3 KB |
binfmt_em86.c | -rw-r--r-- | 2.8 KB |
binfmt_flat.c | -rw-r--r-- | 27.7 KB |
binfmt_misc.c | -rw-r--r-- | 18.4 KB |
binfmt_script.c | -rw-r--r-- | 4.4 KB |
block_dev.c | -rw-r--r-- | 54.7 KB |
buffer.c | -rw-r--r-- | 90.3 KB |
char_dev.c | -rw-r--r-- | 16.5 KB |
compat.c | -rw-r--r-- | 3.4 KB |
compat_binfmt_elf.c | -rw-r--r-- | 3.4 KB |
compat_ioctl.c | -rw-r--r-- | 31.0 KB |
coredump.c | -rw-r--r-- | 21.2 KB |
d_path.c | -rw-r--r-- | 11.2 KB |
dax.c | -rw-r--r-- | 45.9 KB |
dcache.c | -rw-r--r-- | 82.4 KB |
dcookies.c | -rw-r--r-- | 7.1 KB |
direct-io.c | -rw-r--r-- | 41.0 KB |
drop_caches.c | -rw-r--r-- | 1.8 KB |
eventfd.c | -rw-r--r-- | 11.1 KB |
eventpoll.c | -rw-r--r-- | 64.8 KB |
exec.c | -rw-r--r-- | 46.9 KB |
fcntl.c | -rw-r--r-- | 23.3 KB |
fhandle.c | -rw-r--r-- | 6.8 KB |
file.c | -rw-r--r-- | 24.2 KB |
file_table.c | -rw-r--r-- | 10.2 KB |
filesystems.c | -rw-r--r-- | 6.4 KB |
fs-writeback.c | -rw-r--r-- | 71.7 KB |
fs_context.c | -rw-r--r-- | 18.7 KB |
fs_parser.c | -rw-r--r-- | 10.9 KB |
fs_pin.c | -rw-r--r-- | 2.0 KB |
fs_struct.c | -rw-r--r-- | 3.3 KB |
fs_types.c | -rw-r--r-- | 2.5 KB |
fsopen.c | -rw-r--r-- | 11.3 KB |
inode.c | -rw-r--r-- | 56.8 KB |
internal.h | -rw-r--r-- | 5.4 KB |
io_uring.c | -rw-r--r-- | 75.7 KB |
ioctl.c | -rw-r--r-- | 17.7 KB |
iomap.c | -rw-r--r-- | 54.8 KB |
libfs.c | -rw-r--r-- | 32.4 KB |
locks.c | -rw-r--r-- | 77.2 KB |
mbcache.c | -rw-r--r-- | 12.0 KB |
mount.h | -rw-r--r-- | 3.9 KB |
mpage.c | -rw-r--r-- | 21.1 KB |
namei.c | -rw-r--r-- | 122.9 KB |
namespace.c | -rw-r--r-- | 96.2 KB |
no-block.c | -rw-r--r-- | 688 bytes |
nsfs.c | -rw-r--r-- | 6.1 KB |
open.c | -rw-r--r-- | 29.3 KB |
pipe.c | -rw-r--r-- | 27.6 KB |
pnode.c | -rw-r--r-- | 15.1 KB |
pnode.h | -rw-r--r-- | 1.9 KB |
posix_acl.c | -rw-r--r-- | 21.5 KB |
proc_namespace.c | -rw-r--r-- | 7.8 KB |
read_write.c | -rw-r--r-- | 50.0 KB |
readdir.c | -rw-r--r-- | 11.3 KB |
select.c | -rw-r--r-- | 35.3 KB |
seq_file.c | -rw-r--r-- | 24.4 KB |
signalfd.c | -rw-r--r-- | 9.0 KB |
splice.c | -rw-r--r-- | 40.1 KB |
stack.c | -rw-r--r-- | 2.5 KB |
stat.c | -rw-r--r-- | 19.4 KB |
statfs.c | -rw-r--r-- | 9.9 KB |
super.c | -rw-r--r-- | 46.3 KB |
sync.c | -rw-r--r-- | 10.4 KB |
timerfd.c | -rw-r--r-- | 13.4 KB |
userfaultfd.c | -rw-r--r-- | 50.9 KB |
utimes.c | -rw-r--r-- | 7.4 KB |
xattr.c | -rw-r--r-- | 23.5 KB |
Computing file changes ...