Skip to content

Commit bc6bcb5

Browse files
ummakynesummakynes
committed
netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary
This target assumes that tcph->doff is well-formed, that may be well not the case. Add extra sanity checkings to avoid possible crash due to read/write out of the real packet boundary. After this patch, the default action on malformed TCP packets is to drop them. Moreover, fragments are skipped. Reported-by: Rafal Kupka <rkupka@telemetry.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 8cdb46d commit bc6bcb5

File tree

1 file changed

+14
-3
lines changed

1 file changed

+14
-3
lines changed

net/netfilter/xt_TCPOPTSTRIP.c

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,17 +30,28 @@ static inline unsigned int optlen(const u_int8_t *opt, unsigned int offset)
3030

3131
static unsigned int
3232
tcpoptstrip_mangle_packet(struct sk_buff *skb,
33-
const struct xt_tcpoptstrip_target_info *info,
33+
const struct xt_action_param *par,
3434
unsigned int tcphoff, unsigned int minlen)
3535
{
36+
const struct xt_tcpoptstrip_target_info *info = par->targinfo;
3637
unsigned int optl, i, j;
3738
struct tcphdr *tcph;
3839
u_int16_t n, o;
3940
u_int8_t *opt;
41+
int len;
42+
43+
/* This is a fragment, no TCP header is available */
44+
if (par->fragoff != 0)
45+
return XT_CONTINUE;
4046

4147
if (!skb_make_writable(skb, skb->len))
4248
return NF_DROP;
4349

50+
len = skb->len - tcphoff;
51+
if (len < (int)sizeof(struct tcphdr) ||
52+
tcp_hdr(skb)->doff * 4 > len)
53+
return NF_DROP;
54+
4455
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
4556
opt = (u_int8_t *)tcph;
4657

@@ -76,7 +87,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
7687
static unsigned int
7788
tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
7889
{
79-
return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
90+
return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb),
8091
sizeof(struct iphdr) + sizeof(struct tcphdr));
8192
}
8293

@@ -94,7 +105,7 @@ tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
94105
if (tcphoff < 0)
95106
return NF_DROP;
96107

97-
return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff,
108+
return tcpoptstrip_mangle_packet(skb, par, tcphoff,
98109
sizeof(*ipv6h) + sizeof(struct tcphdr));
99110
}
100111
#endif

0 commit comments

Comments
 (0)