From: Eric Dumazet <[email protected]> commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream.
Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. Signed-off-by: Eric Dumazet <[email protected]> Reported-by: Denys Fedoryshchenko <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> [wt: adjust context] Signed-off-by: Willy Tarreau <[email protected]> --- net/netfilter/xt_TCPMSS.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 7011c71..c656269 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -68,7 +68,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); /* Header cannot be larger than the packet */ - if (tcplen < tcph->doff*4) + if (tcplen < tcph->doff*4 || tcph->doff*4 < sizeof(struct tcphdr)) return -1; if (info->mss == XT_TCPMSS_CLAMP_PMTU) { @@ -117,6 +117,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, if (tcplen > tcph->doff*4) return 0; + /* tcph->doff has 4 bits, do not wrap it to 0 */ + if (tcph->doff >= 15) + return 0; + /* * MSS Option not found ?! add it.. */ -- 2.8.0.rc2.1.gbe9624a
