From: Florian Westphal <fw@strlen.de>
To: bestswngs@gmail.com
Cc: security@kernel.org, edumazet@google.com, davem@davemloft.net,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
xmei5@asu.edu
Subject: Re: [PATCH net] nfnetlink_osf: validate individual option lengths in fingerprints
Date: Thu, 19 Mar 2026 09:04:56 +0100 [thread overview]
Message-ID: <abuuKHbFhnwZ4vwM@strlen.de> (raw)
In-Reply-To: <20260319073243.1176330-2-bestswngs@gmail.com>
bestswngs@gmail.com <bestswngs@gmail.com> wrote:
> From: Weiming Shi <bestswngs@gmail.com>
>
> nfnl_osf_add_callback() validates opt_num bounds and string
> NUL-termination but does not check individual option length fields.
> A zero-length option causes nf_osf_match_one() to enter the option
> matching loop even when foptsize sums to zero, which matches packets
> with no TCP options where ctx->optp is NULL:
Would you mind if i squash:
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -302,6 +302,7 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
{
struct nf_osf_user_finger *f;
struct nf_osf_finger *kf = NULL, *sf;
+ unsigned int tot_opt_len = 0;
int err = 0;
int i;
@@ -320,10 +321,14 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
return -EINVAL;
for (i = 0; i < f->opt_num; i++) {
- if (!f->opt[i].length)
+ if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
return -EINVAL;
if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
return -EINVAL;
+
+ tot_opt_len += f->opt[i].length;
+ if (tot_opt_len > MAX_IPOPTLEN)
+ return -EINVAL;
}
if (!memchr(f->genre, 0, MAXGENRELEN) ||
There is a runtime check (WTF) for this already, but arguably it
better belongs here.
next prev parent reply other threads:[~2026-03-19 8:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 7:32 [PATCH net] nfnetlink_osf: validate individual option lengths in fingerprints bestswngs
2026-03-19 7:54 ` Florian Westphal
2026-03-19 7:55 ` Greg KH
2026-03-19 8:04 ` Florian Westphal [this message]
2026-03-19 8:26 ` Weiming Shi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abuuKHbFhnwZ4vwM@strlen.de \
--to=fw@strlen.de \
--cc=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=security@kernel.org \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox