Received: by 10.223.185.116 with SMTP id b49csp825332wrg; Sat, 10 Feb 2018 21:17:29 -0800 (PST) X-Google-Smtp-Source: AH8x224TVnQiI+3HrTiNg12PB5X2sYcBuFv7NehBZJQippBAmNspBgoPF7S0RKyFDiYa9R7An4ga X-Received: by 10.167.130.199 with SMTP id f7mr222007pfn.96.1518326249507; Sat, 10 Feb 2018 21:17:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518326249; cv=none; d=google.com; s=arc-20160816; b=EqfTppP4fNVugIrWJ00HYnsm2tABHaLSzNqnDtS/g1+woAuULnreJhk7eeYZMCPFQ7 17B3jDFQvtQjrYVNjpsey6vPeEB5iMhGobAW4OSfV9XUjdEmXWMh7A3g9O+4l3cM7Vfd q1jhtJyhyXvi+TWS4zSa2fXfuyrIUsPMholBS/O7QsEjaEPvcZ/3rTR46IJVgHkeKNoB 2tm9aj5L1XkcYTqEAShvsy4nkr3hWNjx3UytOHCsxGbpe2YuBRVnBLsaYqgRFttJo6tZ hLJD9Ip3BTzRZvu5pO7rusIAqm/d9bXjodr4XN2OqaqDfyc+VxLUwZqQye8PbnkXnMFF SBnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=WbjqCDkE/yATie1Dfau1jlk7Jynml7OAtcAhjQekAag=; b=NX0TVijMb4P3qKFPcMFOr/E0LB1POFHhLnr3P7TXUsu6xOlKDamP/42AMr1DW1l+iU ArgXcqHjnPWfmTbiIfLtmQocSe1c9XxAN9Ls2EOcPD5ueOxtCPYRNzMmT8L++PaQB7LH 8c1fPBGJ3ZjOjlGN4BmrrRKP4VE5Tk2c1XSwPd6Dh26ITEWWwvcPQ9G/B04iz3kqCLA0 z5z2xyMDV+LOzwrs1p2EBPm/XWxGzTitzpO14bB1WsPiHcquMs4ZC8ATGjnkujDdYqpv aUpA+5oEqH8dLAUpMCvr3djwPD4f4B6hx1xAmCc2dewvhEwpYbJ5KPrIUzLA0CDF5JFv IJIw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h68si1987830pfa.238.2018.02.10.21.17.15; Sat, 10 Feb 2018 21:17:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932094AbeBKFOZ (ORCPT + 99 others); Sun, 11 Feb 2018 00:14:25 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41378 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752601AbeBKEdl (ORCPT ); Sat, 10 Feb 2018 23:33:41 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ekjKd-0002hG-Jg; Sun, 11 Feb 2018 04:33:39 +0000 Received: from ben by deadeye with local (Exim 4.90) (envelope-from ) id 1ekjKY-0004WL-KR; Sun, 11 Feb 2018 04:33:34 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Rafal Kupka" , "Pablo Neira Ayuso" Date: Sun, 11 Feb 2018 04:20:06 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.2 61/79] netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.2.99-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Pablo Neira Ayuso commit bc6bcb59dd7c184d229f9e86d08aa56059938a4c upstream. This target assumes that tcph->doff is well-formed, that may be well not the case. Add extra sanity checkings to avoid possible crash due to read/write out of the real packet boundary. After this patch, the default action on malformed TCP packets is to drop them. Moreover, fragments are skipped. Reported-by: Rafal Kupka Signed-off-by: Pablo Neira Ayuso Signed-off-by: Ben Hutchings --- net/netfilter/xt_TCPOPTSTRIP.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) --- a/net/netfilter/xt_TCPOPTSTRIP.c +++ b/net/netfilter/xt_TCPOPTSTRIP.c @@ -30,17 +30,28 @@ static inline unsigned int optlen(const static unsigned int tcpoptstrip_mangle_packet(struct sk_buff *skb, - const struct xt_tcpoptstrip_target_info *info, + const struct xt_action_param *par, unsigned int tcphoff, unsigned int minlen) { + const struct xt_tcpoptstrip_target_info *info = par->targinfo; unsigned int optl, i, j; struct tcphdr *tcph; u_int16_t n, o; u_int8_t *opt; + int len; + + /* This is a fragment, no TCP header is available */ + if (par->fragoff != 0) + return XT_CONTINUE; if (!skb_make_writable(skb, skb->len)) return NF_DROP; + len = skb->len - tcphoff; + if (len < (int)sizeof(struct tcphdr) || + tcp_hdr(skb)->doff * 4 > len) + return NF_DROP; + tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); opt = (u_int8_t *)tcph; @@ -76,7 +87,7 @@ tcpoptstrip_mangle_packet(struct sk_buff static unsigned int tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par) { - return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb), + return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb), sizeof(struct iphdr) + sizeof(struct tcphdr)); } @@ -93,7 +104,7 @@ tcpoptstrip_tg6(struct sk_buff *skb, con if (tcphoff < 0) return NF_DROP; - return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff, + return tcpoptstrip_mangle_packet(skb, par, tcphoff, sizeof(*ipv6h) + sizeof(struct tcphdr)); } #endif