ipv4: tcp_input: fix stack out of bounds when parsing TCP options.

The TCP option parsing routines in tcp_parse_options function could read one byte out of the buffer of the TCP options. 1 while (length > 0) { 2 int opcode = *ptr++; 3 int opsize; 4 5 switch (opcode) { 6 case TCPOPT_EOL: 7 return; 8 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ 9 length--; 10 continue; 11 default: 12 opsize = *ptr++; //out of bound access If length = 1, then there is an access in line2. And another access is occurred in line 12. This would lead to out-of-bound access. Therefore, in the patch we check that the available data length is larger enough to pase both TCP option code and size. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Young Xiao <92siuyang@gmail.com> 2019-05-29 16:10:59 +0800
committer: David S. Miller <davem@davemloft.net> 2019-05-30 12:32:47 -0700
commit: 9609dad263f8bea347f41fddca29353dbf8a7d37 (patch)
tree: b902b6acddb4cb880224265ce6d95f1513874d0b /net
parent: 62851d71e771e4fc099de16bb27f696c343516d9 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c61edd023b35..08a477e74cf3 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3791,6 +3791,8 @@ void tcp_parse_options(const struct net *net,
 			length--;
 			continue;
 		default:
+			if (length < 2)
+				return;
 			opsize = *ptr++;
 			if (opsize < 2) /* "silly options" */
 				return;
author	Young Xiao <92siuyang@gmail.com>	2019-05-29 16:10:59 +0800
committer	David S. Miller <davem@davemloft.net>	2019-05-30 12:32:47 -0700
commit	9609dad263f8bea347f41fddca29353dbf8a7d37 (patch)
tree	b902b6acddb4cb880224265ce6d95f1513874d0b /net
parent	62851d71e771e4fc099de16bb27f696c343516d9 (diff)