From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary
Date: Wed, 15 May 2013 15:59:35 +0200 [thread overview]
Message-ID: <20130515135935.GA1605@localhost> (raw)
In-Reply-To: <20130515123336.GE18095@breakpoint.cc>
On Wed, May 15, 2013 at 02:33:36PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > This target assumes that tcph->doff is well-formed, that may be well
> > not the case. Add extra sanity checkings to avoid possible crash due
> > to read/write out of the real packet boundary.
>
> > static unsigned int
> > tcpoptstrip_mangle_packet(struct sk_buff *skb,
> > - const struct xt_tcpoptstrip_target_info *info,
> > + const struct xt_action_param *par,
> > unsigned int tcphoff, unsigned int minlen)
> > {
> > + const struct xt_tcpoptstrip_target_info *info = par->targinfo;
> > unsigned int optl, i, j;
> > struct tcphdr *tcph;
> > u_int16_t n, o;
> > u_int8_t *opt;
> > + int len;
> > +
> [..]
> > + len = skb->len - tcphoff;
> > + if (len < sizeof(struct tcphdr))
>
> I think this needs a cast 'if (len < (int) sizeof( ...?
I'm not hitting any compilation warning.
> > @@ -51,7 +67,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
> > for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) {
> > optl = optlen(opt, i);
> >
> > - if (i + optl > tcp_hdrlen(skb))
> > + if (i + optl > len)
> > break;
>
> I don't understand this change. This should stop parsing if the
> option length points outside of the tcp option size.
>
> But doesn't len include the size of the actual payload?
We already validated a bit above that there's room for the TCP
options in the packet.
/* Truncated TCP options, skip */
if ((tcp_hdr(skb)->doff - 5) * 4 > len - sizeof(struct tcphdr))
return NF_DROP;
So after that point we can trust the tcph->doff field.
Therefore, you're right, I'll remove that change. Thanks.
next prev parent reply other threads:[~2013-05-15 13:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-15 12:05 [PATCH] netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary Pablo Neira Ayuso
2013-05-15 12:33 ` Florian Westphal
2013-05-15 13:59 ` Pablo Neira Ayuso [this message]
2013-05-15 14:48 ` Florian Westphal
2013-05-15 15:10 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130515135935.GA1605@localhost \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.