Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3922492pxj; Mon, 21 Jun 2021 09:26:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzPFaewJiBfwb3SuNaVvGD6LxQ367q6EdgnTcmfLvTv3m6HGDtz3d0jzndNxE+Qx3r2XQy3 X-Received: by 2002:a92:cbc8:: with SMTP id s8mr16054262ilq.193.1624292786511; Mon, 21 Jun 2021 09:26:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624292786; cv=none; d=google.com; s=arc-20160816; b=I15L6LngjKcGJxgLFtNMem4FtnzvofPuuQERBFxK9R1JWG/iDQXyMVe8HndBdPMuHS 9Dd2JGYsrlCpJJqN4q2NLHbFxCLX1JvlUw/9WhRZ/OF9W9X9eOtaoQ3RCDkFlK2JRQDS CCwnfmy8t9kfhRMODI/H0Cucg8ZI5Vso4OEecLsjSwVa/vwGm11p05xBrhBsmlJbPUv6 G9qbp9iYpezXgqr5QJJqHeArR+sLSD4dBoKRAX2eAWWW388IeQqtMYjZVFIYdKKBmE1A 3o0GsMU0cafr4sjGsssEeYmmG3sVvKUDyQ/9Z3zvQHMQ99xi7nGa+5Gk4TExt5AamDFz UZ0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dv8vso+zhQWajPbZ0RBWCQ6YKIeki8RZwlfFSKfEWuo=; b=k8VWJbhuisKS+ZQEWf9y2II2M9DA1SpeCp1CGVUqkpHWhhB44+c9wlRY6jFwibjNXf EpISHxpTzqB35s/8PLOnJKqAZF0sAPh/JU1/pjHQVv72/KMEPvWKAHqVLvC89DXUgALe 42BwwR9v07WpRz+/Hh3cn707Ug3WAx4o46kDOwRYfLZL54rKOHkhjm62MNdkjQattP4c IhqDWZYFx7fgyZSD+6q3v6NGSPcVaxGxP+9QGByI1JHT6KYyOEtadC/I+blEvq5wYQTQ XcjSwFZItWv3F8d2bJO3a6wojsIzRiVPhPdJ7UvIV1wCu+E72RaXHhyY9+zjy1WrRaeW RqnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=loxmNE9b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l9si2993165ilh.7.2021.06.21.09.26.14; Mon, 21 Jun 2021 09:26:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=loxmNE9b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231686AbhFUQ14 (ORCPT + 99 others); Mon, 21 Jun 2021 12:27:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:48302 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231810AbhFUQ0H (ORCPT ); Mon, 21 Jun 2021 12:26:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AE83361380; Mon, 21 Jun 2021 16:22:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1624292532; bh=bMUePvQ+VvmHOsBXni+Ytx/Rw6NBxqGfrpuAv4o4N78=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=loxmNE9bC6cikC2iopXXUasKDV4JCYnKTxaLz9KxxD4HV0Nk1Gz93w20yHR7BQPL4 xKe2zS5AKzFvWbbmjNHIi489gKOae9UQmm/9XnMrjF1U4HtOexulwPk6YUeL7kqqIu PFUOG3gkxgpMEEAX8jNlYlRhXLgqlnSfvbMNS5i8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Young Xiao <92siuyang@gmail.com>, Maxim Mikityanskiy , Florian Westphal , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 034/146] netfilter: synproxy: Fix out of bounds when parsing TCP options Date: Mon, 21 Jun 2021 18:14:24 +0200 Message-Id: <20210621154912.452507619@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210621154911.244649123@linuxfoundation.org> References: <20210621154911.244649123@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maxim Mikityanskiy [ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ] The TCP option parser in synproxy (synproxy_parse_options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). v2 changes: Added an early return when length < 0 to avoid calling skb_header_pointer with negative length. Cc: Young Xiao <92siuyang@gmail.com> Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/netfilter/nf_synproxy_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c index d7d34a62d3bf..2fc4ae960769 100644 --- a/net/netfilter/nf_synproxy_core.c +++ b/net/netfilter/nf_synproxy_core.c @@ -31,6 +31,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, int length = (th->doff * 4) - sizeof(*th); u8 buf[40], *ptr; + if (unlikely(length < 0)) + return false; + ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf); if (ptr == NULL) return false; @@ -47,6 +50,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, length--; continue; default: + if (length < 2) + return true; opsize = *ptr++; if (opsize < 2) return true; -- 2.30.2