Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3593833pxv; Mon, 28 Jun 2021 08:10:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxYvEw83kAcj3p/sCdSKW9JdNWoxx3C2NgqA9Pakw1xaU5JOKicyF7IHwdt5upuN4RNSniW X-Received: by 2002:aa7:d94e:: with SMTP id l14mr33627070eds.309.1624893026559; Mon, 28 Jun 2021 08:10:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624893026; cv=none; d=google.com; s=arc-20160816; b=i2tUIbQJRN5VbtqXcdq3oPZjNWKSCH4QApLcjBOpRF3eirp+5Vhgj2dqwVGxiNYx// H4o1jSsNJKB3CRhrXFaw8AazdTMyCHvbU09Sk4qFczbJsWwj8VpM6gVJjfUjyyomi8E/ KQ5FtT7Nu9Gylxovu70ilr//uw8UyBxJ/1qz4FWIu3h2x7SphHozQ4SJ2OX62JZPHaZ2 yKvdIZprYlDTARdsVv/VHhw4rwe+hYk4f0P2zdIJJtvuwndZqyn5YSKU9GiL6CNOaTfF c2V9XUZi7BJ2hqCyTjimEw4imoBeuvAm77gCpXeDHu0sSGM+MAIIu2TPqd2QSbAO4up1 bc3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+dlugd2I7/DEaUKKxxV8il9XVtaOUw5OSVYbD9r74Cg=; b=Q/dpjwNb3yrOkqR2V9PQxKXmZ7vOAtjDGAhPEahPSvN2VbI8dKvNLwiZDCB8XSvZSB r8Qm9Th6BKpVblNILKCLUzYwotFi7fosUUDzFSBRMM1nN5o56b69CVGumqHel5BW13T6 K66HIVCQ0CdqcqbOC4wDUlnibhi0sLrRAOr4mKqrE9jDP+Iz0SlTcM6+6oazAzppQKSf ai5fwy0p2wkyJiVf7b0lPJypSrN6r/QhoZzb8XBQrjp8NHncZtCtkF05kB0XDAR+3eSz ZfwbsgryXGa3+RnoFZQZ0LIfDpzJb8TrAfTJZRWoMSNdGcuWruvIiFdwlSRHDYVA1q0+ PSbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jPv3BtzU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ga41si7370814ejc.571.2021.06.28.08.09.59; Mon, 28 Jun 2021 08:10:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jPv3BtzU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237705AbhF1PKM (ORCPT + 99 others); Mon, 28 Jun 2021 11:10:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:53670 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236457AbhF1OtX (ORCPT ); Mon, 28 Jun 2021 10:49:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 207A461D22; Mon, 28 Jun 2021 14:36:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624891014; bh=h09FyihdMQ+8qBwG/JCco+Ksho2nEcWP+G1jmPejVH0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jPv3BtzU2KK60KlgQpbX5vkizpW6pb8eOe23+fS6rU4V2gwKCVewVIaQHa7WP78mf V3toCjCg2da76CmNd3Q8rextN3bL1Cx7obajXXbaLp704iBxnp16mkMS4iMvZYAjSx p6We4967dwc3jP6T7NNC+VX3AoJdZrZNrwG1cEpCcfBlaWLinr2h2Zd4V3kIYWox07 Bzg0QyEiLom0wUI3mgzcH2yuC8d2tvVOGzl2xQ3QQTyd4h2wO6/EuegPe75BNGC5LX YtBdWhqieb2MvpOuPBXFTWQoEg7FrAgPr2/j7StsbtkD+es/Moys72LwfqtCFWOvZu KIL+hs7o98L8Q== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Maxim Mikityanskiy , Young Xiao <92siuyang@gmail.com>, Florian Westphal , "David S . Miller" , Sasha Levin Subject: [PATCH 4.14 27/88] netfilter: synproxy: Fix out of bounds when parsing TCP options Date: Mon, 28 Jun 2021 10:35:27 -0400 Message-Id: <20210628143628.33342-28-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210628143628.33342-1-sashal@kernel.org> References: <20210628143628.33342-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.238-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-4.14.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 4.14.238-rc1 X-KernelTest-Deadline: 2021-06-30T14:36+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Maxim Mikityanskiy [ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ] The TCP option parser in synproxy (synproxy_parse_options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). v2 changes: Added an early return when length < 0 to avoid calling skb_header_pointer with negative length. Cc: Young Xiao <92siuyang@gmail.com> Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/netfilter/nf_synproxy_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c index 49bd8bb16b18..9ff26eb0309a 100644 --- a/net/netfilter/nf_synproxy_core.c +++ b/net/netfilter/nf_synproxy_core.c @@ -34,6 +34,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, int length = (th->doff * 4) - sizeof(*th); u8 buf[40], *ptr; + if (unlikely(length < 0)) + return false; + ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf); if (ptr == NULL) return false; @@ -50,6 +53,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, length--; continue; default: + if (length < 2) + return true; opsize = *ptr++; if (opsize < 2) return true; -- 2.30.2