Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1160221ybi; Thu, 30 May 2019 12:35:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3cH0IQKogb/4zNxy+lf+v9Zl4HeujB/JjeU6ZaRJVjQkxaRHHGFN3+kbcBI4WJEkGk7mx X-Received: by 2002:a17:90a:71cb:: with SMTP id m11mr4993442pjs.40.1559244931249; Thu, 30 May 2019 12:35:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559244931; cv=none; d=google.com; s=arc-20160816; b=aWmx7G1Hnh13muIMl3tba+TQqcs7CpmWGoLXXC6esW0WaK9Ky4H2Oe/DLhiXtz3rat 8VfNL5mI7kH733rw7OCoWTscvy2Sx6/8YNDSA+s10WiwnlFLONz5o//P4+9grtXVTiev MPCp3IXoZ5vMDtzmmOBlJ9r22AqvNjr8ThlrfNlplKHGLaOuHXcsMVenIPeGMvjcQQ1p b4mUTz8NiKAg6/BD2j92l+XUfNB/4tjahWU4GnS5kCP++1wcHFAYqUOEYXnHM+HYCAry LumBq9MhvSqc5VSqpfFeOEASRrLiDMAOPGlWRs8wsG0Vrf4/gWvm8C6bXv0QZDUcq2NC T7xQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=1vq9UzJLhadRt6vPd9C2DQSabcyDwYFL7LGKcJPdbG8=; b=MbiXsvhJrZFFZrOI4rqC+kx3WBl55b60J1ovSXWctW6tAB198OyyAAbt5d6e+6X+hA 3VMk12QtmXCkdIhdzSS1Lh3rNtkV1MEeIMY6+3EIvb0mMlOxn6AJeHt17N19rPcS8rQ9 QVGgMGM5hkLfDInTf6R8mufm4HQiGz/ihzWRUCqwn052MNzQ8nZU27p2H/UebmaoaV5K hU5VLYoWItbYbJrj19lV9UVTsLu/jPptjxR2t0Fk7LxMmAY+/Jl/CbHcyXSG5MaQuQnP 0T2oO07K4GQXti2/HMxbwXEg7qRz0mLhRKe5Nr90N7PvCzm8rDU5WexL0sVxtTi9GaIh eXfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z24si1358085pfa.190.2019.05.30.12.35.14; Thu, 30 May 2019 12:35:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726509AbfE3TdH (ORCPT + 99 others); Thu, 30 May 2019 15:33:07 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:58880 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725440AbfE3TdH (ORCPT ); Thu, 30 May 2019 15:33:07 -0400 Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 7A9DC14DA817B; Thu, 30 May 2019 12:33:06 -0700 (PDT) Date: Thu, 30 May 2019 12:33:05 -0700 (PDT) Message-Id: <20190530.123305.679690617064301115.davem@davemloft.net> To: 92siuyang@gmail.com Cc: edumazet@google.com, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] ipv4: tcp_input: fix stack out of bounds when parsing TCP options. From: David Miller In-Reply-To: <1559117459-27353-1-git-send-email-92siuyang@gmail.com> References: <1559117459-27353-1-git-send-email-92siuyang@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 30 May 2019 12:33:06 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Young Xiao <92siuyang@gmail.com> Date: Wed, 29 May 2019 16:10:59 +0800 > The TCP option parsing routines in tcp_parse_options function could > read one byte out of the buffer of the TCP options. > > 1 while (length > 0) { > 2 int opcode = *ptr++; > 3 int opsize; > 4 > 5 switch (opcode) { > 6 case TCPOPT_EOL: > 7 return; > 8 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ > 9 length--; > 10 continue; > 11 default: > 12 opsize = *ptr++; //out of bound access > > If length = 1, then there is an access in line2. > And another access is occurred in line 12. > This would lead to out-of-bound access. > > Therefore, in the patch we check that the available data length is > larger enough to pase both TCP option code and size. > > Signed-off-by: Young Xiao <92siuyang@gmail.com> Applied.