| Message ID | 20210609142212.3096691-3-maximmi@nvidia.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | Fix out of bounds when parsing TCP options | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for net |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | warning | 1 maintainers not CCed: mptcp@lists.linux.dev |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 1 this patch: 1 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 8 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 1 this patch: 1 |
| netdev/header_inline | success | Link |
On Wed, 9 Jun 2021, Maxim Mikityanskiy wrote: > The TCP option parser in mptcp (mptcp_get_options) could read one byte > out of bounds. When the length is 1, the execution flow gets into the > loop, reads one byte of the opcode, and if the opcode is neither > TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the > length of 1. > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack > out of bounds when parsing TCP options."). > > Cc: Young Xiao <92siuyang@gmail.com> > Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> > --- > net/mptcp/options.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/mptcp/options.c b/net/mptcp/options.c > index 6b825fb3fa83..9b263f27ce9b 100644 > --- a/net/mptcp/options.c > +++ b/net/mptcp/options.c > @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb, > length--; > continue; > default: > + if (length < 2) > + return; > opsize = *ptr++; > if (opsize < 2) /* "silly options" */ > return; > -- > 2.25.1 Florian's comment on patch 1 prompted me to double-check th->doff validation, and for MPTCP we're covered by the check in tcp_v4_rcv(). So this patch looks good: Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> If you send a v2 series, please also cc: mptcp@lists.linux.dev Thanks! -- Mat Martineau Intel
diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 6b825fb3fa83..9b263f27ce9b 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb, length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return;
The TCP option parser in mptcp (mptcp_get_options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). Cc: Young Xiao <92siuyang@gmail.com> Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> --- net/mptcp/options.c | 2 ++ 1 file changed, 2 insertions(+)