From: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST)
>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb,
>> > > length--;
>> > > continue;
>> > > default:
>> > > + if (length < 2)
>> > > + return;
>> > > opsize = *ptr++;
>> > > if (opsize < 2) /* "silly options" */
>> > > return;
I'm trying to figure out how this can even matter.
If we are in the loop, length is at least one.
That means it is legal to read the opsize byte.
By the next check, opsize is at least 2.
And then the very next line in this code makes sure length >= opsize:
if (opsize > length)
return; /* don't parse partial options */
Therefore no out-of-range access is possible as far as I can see.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
