From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C56447AF6E; Tue, 20 Jan 2026 19:18:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768936734; cv=none; b=upvCpVEwoNMFAmWcNh4soZ8uXyA+TWdEkq0brSO0UYd+yvOA8+qBujh5EyKcslP7he4CzJxQui/JxESspYCsm1gCS6qA8s30B9NUrE8cf7sa53crHWFKxQHvIyg/1OX6JdFHh88Er/GJFx8SVVOZMOxUHcNLx3K36hEmxISa5K4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768936734; c=relaxed/simple; bh=nzVXgQAQoyL8xiY7gW4NenIUPxls1oLfHqIsY8KhDhI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LLHj+ime0uwvLq9pG4qYHbqy6wdW1Pq31PyD627Qax0MaT1zrw7R7rMuPT7uSu7/aa71ZVjgTwqD3fV4RIFyegmskHwnomo4X6Ze7yVfMsGzSCEteznPXBCGad57PUecB2oYkUaYOkMJyhHqGlLgDCOKfhVMZurvn1+PFI8RH/E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc Received: by Chamillionaire.breakpoint.cc (Postfix, from userid 1003) id 951BA608AC; Tue, 20 Jan 2026 20:18:50 +0100 (CET) From: Florian Westphal To: Cc: Paolo Abeni , "David S. Miller" , Eric Dumazet , Jakub Kicinski , , pablo@netfilter.org Subject: [PATCH net-next 10/10] netfilter: xt_tcpmss: check remaining length before reading optlen Date: Tue, 20 Jan 2026 20:18:03 +0100 Message-ID: <20260120191803.22208-11-fw@strlen.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260120191803.22208-1-fw@strlen.de> References: <20260120191803.22208-1-fw@strlen.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). Reported-by: sungzii Signed-off-by: Florian Westphal --- net/netfilter/xt_tcpmss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c index 37704ab01799..0d32d4841cb3 100644 --- a/net/netfilter/xt_tcpmss.c +++ b/net/netfilter/xt_tcpmss.c @@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) return (mssval >= info->mss_min && mssval <= info->mss_max) ^ info->invert; } - if (op[i] < 2) + if (op[i] < 2 || i == optlen - 1) i++; else i += op[i+1] ? : 1; -- 2.52.0