netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Florian Westphal <fw@strlen.de>
To: Maxim Mikityanskiy <maximmi@nvidia.com>
Cc: "Florian Westphal" <fw@strlen.de>,
	"Mat Martineau" <mathew.j.martineau@linux.intel.com>,
	"Matthieu Baerts" <matthieu.baerts@tessares.net>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	"Pablo Neira Ayuso" <pablo@netfilter.org>,
	"Jozsef Kadlecsik" <kadlec@netfilter.org>,
	"Toke Høiland-Jørgensen" <toke@toke.dk>,
	"Jamal Hadi Salim" <jhs@mojatatu.com>,
	"Cong Wang" <xiyou.wangcong@gmail.com>,
	"Jiri Pirko" <jiri@resnulli.us>,
	"Patrick McHardy" <kaber@trash.net>,
	"Jesper Dangaard Brouer" <brouer@redhat.com>,
	"Paolo Abeni" <pabeni@redhat.com>,
	"Christoph Paasch" <cpaasch@apple.com>,
	"Peter Krystad" <peter.krystad@linux.intel.com>,
	"Young Xiao" <92siuyang@gmail.com>,
	netdev@vger.kernel.org
Subject: Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options
Date: Thu, 10 Jun 2021 10:56:07 +0200	[thread overview]
Message-ID: <20210610085607.GN20020@breakpoint.cc> (raw)
In-Reply-To: <4ec99ea3-6ab1-eee4-be60-992cf2f9cd45@nvidia.com>

Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> On 2021-06-09 17:51, Florian Westphal wrote:
> > Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> > > The TCP option parser in synproxy (synproxy_parse_options) could read
> > > one byte out of bounds. When the length is 1, the execution flow gets
> > > into the loop, reads one byte of the opcode, and if the opcode is
> > > neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
> > > the length of 1.
> > > 
> > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
> > > out of bounds when parsing TCP options.").
> > > 
> > > Cc: Young Xiao <92siuyang@gmail.com>
> > > Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
> > > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
> > > ---
> > >   net/netfilter/nf_synproxy_core.c | 2 ++
> > >   1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
> > > index b100c04a0e43..621eb5ef9727 100644
> > > --- a/net/netfilter/nf_synproxy_core.c
> > > +++ b/net/netfilter/nf_synproxy_core.c
> > > @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
> > >   			length--;
> > >   			continue;
> > >   		default:
> > > +			if (length < 2)
> > > +				return true;
> > 
> > Would you mind a v2 that also rejects bogus th->doff value when
> > computing the length?
> 
> Could you elaborate? The length is a signed int calculated as `(th->doff *
> 4) - sizeof(*th)`. Invalid doff values (0..4) lead to negative length, so we
> never enter the loop. Or are you concerned of passing a negative length to
> skb_header_pointer?

Yes, negative length to skb_header_pointer.  For other usage (mptcp for
example) tcp stack validated th->doff already, but thats not the case for synproxy.

  reply	other threads:[~2021-06-10  8:56 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
2021-06-09 14:51   ` Florian Westphal
2021-06-10  7:05     ` Maxim Mikityanskiy
2021-06-10  8:56       ` Florian Westphal [this message]
2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy
2021-06-10  0:07   ` Mat Martineau
2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy
2021-06-09 21:51   ` Toke Høiland-Jørgensen
2021-06-10 11:19     ` Maxim Mikityanskiy
2021-06-10 14:33       ` Toke Høiland-Jørgensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210610085607.GN20020@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=92siuyang@gmail.com \
    --cc=brouer@redhat.com \
    --cc=cpaasch@apple.com \
    --cc=davem@davemloft.net \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=kaber@trash.net \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=mathew.j.martineau@linux.intel.com \
    --cc=matthieu.baerts@tessares.net \
    --cc=maximmi@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=peter.krystad@linux.intel.com \
    --cc=toke@toke.dk \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).