Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3934433pxj; Mon, 21 Jun 2021 09:41:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzm34CzmiopPy/xGmvb52Ez6ROiasLOa9HCf9KAvdkRkiyURcZBcpBJP96fMvzfplGB5UFT X-Received: by 2002:a05:6402:d0a:: with SMTP id eb10mr23222938edb.139.1624293705553; Mon, 21 Jun 2021 09:41:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624293705; cv=none; d=google.com; s=arc-20160816; b=rLfYvRnxx+q6wX+9QHARqtHU/ij0G0AHcmXYCPIoxpjq9W7sHuzzvK7MCudZ0iZa0D 03bdcV7pEKrTCQeBSq24iNU2R2VO1H3N7hJhvDrTQ12629/Epy1SK47IuHbYmdWNvxV5 LgW+0Al9nwAcVCl9gGubgx/94IQSZVH+Q9PAXLArc6BRGSPQnwBs+1LIfwCriSG0+bPo 8gkWeQ55SjNRLYEvPKkffD19or+uRhNWetShqWVTWIWy5pc0sJNm5U4NaAO3WSg0g2yj fvXwlXhgVk50NyWio03UUBqda1IHm3tVUST2wyrqYi69E7VtuMKwF70iT3eiYfwJxrpO HNCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MrqTIUnXxMLdCiLkL9pO6kfaKlxYm/YIEk3E+wtXpTE=; b=S/0AuR9Vw7OgLtNyBDhS2e7zlNIhOiiLP81zgsOX4Cta3a7GQqQClrfCcnjFoUrueJ MlPkJotWGZ8PdLkqDZLesjNAyVolNertCAsoDGSxr0tXSfLMyTROPWd+TbvNZ/3BvBI0 GcLwjHOvO4A3ssKdG7MLp6Q8+jRLRCKCxHyrgbTb/xV+WFF0VmB6vx/Lul6+WwXEj3lY sclcqqDgYvvdEGsONkAUqPvL6VyaN6ERE+PQIfKMloCFyag4o9lBVbKiHN3v58dqcKM0 5jjuxu/UwXeA9rQcMK2JF/Qiekde9Q0bw7rPHsdAM93DgLhVVQvxabs7O6AAqcmZuidq ODfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2nLJz37F; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id la20si12830842ejc.3.2021.06.21.09.41.23; Mon, 21 Jun 2021 09:41:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2nLJz37F; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232324AbhFUQmV (ORCPT + 99 others); Mon, 21 Jun 2021 12:42:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:56052 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232543AbhFUQhp (ORCPT ); Mon, 21 Jun 2021 12:37:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 149476109E; Mon, 21 Jun 2021 16:29:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1624292944; bh=h3p6fCphVg8BPrbmBoXlbiuTmtHMC8+TL0sU66kDgf4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2nLJz37FbRrA/NPDjsvO3sLENTCHZUBsekcwja1uxGEfK/iYk0qvh59iCzHbTyejL 3L8nmgWEb0qs1qwIlQEdg3ocaxAfy2tAFCWNouMGrbyxtzsM/a23NF7dZEUEVjZsoh 6Hj/Vi3RSIY3yxfNl/iC0btOQ7y66hX65NGc+FDg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Young Xiao <92siuyang@gmail.com>, Maxim Mikityanskiy , Mat Martineau , "David S. Miller" , Sasha Levin Subject: [PATCH 5.12 042/178] mptcp: Fix out of bounds when parsing TCP options Date: Mon, 21 Jun 2021 18:14:16 +0200 Message-Id: <20210621154923.590934946@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210621154921.212599475@linuxfoundation.org> References: <20210621154921.212599475@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maxim Mikityanskiy [ Upstream commit 07718be265680dcf496347d475ce1a5442f55ad7 ] The TCP option parser in mptcp (mptcp_get_options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). Cc: Young Xiao <92siuyang@gmail.com> Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/mptcp/options.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 8848a9e2a95b..47d90cf31f12 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -337,6 +337,8 @@ void mptcp_get_options(const struct sk_buff *skb, length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return; -- 2.30.2