From: Weiming Shi <bestswngs@gmail.com>
To: Florian Westphal <fw@strlen.de>
Cc: edumazet@google.com, davem@davemloft.net, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, xmei5@asu.edu
Subject: Re: [PATCH net] nfnetlink_osf: validate individual option lengths in fingerprints
Date: Thu, 19 Mar 2026 16:26:59 +0800 [thread overview]
Message-ID: <abuzU_JBGITyp0yo@SLSGDTSWING002> (raw)
In-Reply-To: <abuuKHbFhnwZ4vwM@strlen.de>
On 26-03-19 09:04, Florian Westphal wrote:
> bestswngs@gmail.com <bestswngs@gmail.com> wrote:
> > From: Weiming Shi <bestswngs@gmail.com>
> >
> > nfnl_osf_add_callback() validates opt_num bounds and string
> > NUL-termination but does not check individual option length fields.
> > A zero-length option causes nf_osf_match_one() to enter the option
> > matching loop even when foptsize sums to zero, which matches packets
> > with no TCP options where ctx->optp is NULL:
>
> Would you mind if i squash:
>
> diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> --- a/net/netfilter/nfnetlink_osf.c
> +++ b/net/netfilter/nfnetlink_osf.c
> @@ -302,6 +302,7 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
> {
> struct nf_osf_user_finger *f;
> struct nf_osf_finger *kf = NULL, *sf;
> + unsigned int tot_opt_len = 0;
> int err = 0;
> int i;
>
> @@ -320,10 +321,14 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
> return -EINVAL;
>
> for (i = 0; i < f->opt_num; i++) {
> - if (!f->opt[i].length)
> + if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
> return -EINVAL;
> if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
> return -EINVAL;
> +
> + tot_opt_len += f->opt[i].length;
> + if (tot_opt_len > MAX_IPOPTLEN)
> + return -EINVAL;
> }
>
> if (!memchr(f->genre, 0, MAXGENRELEN) ||
>
> There is a runtime check (WTF) for this already, but arguably it
> better belongs here.
Hi Florian,
No problem, please go ahead. Thanks for improving it.
Weiming Shi
prev parent reply other threads:[~2026-03-19 8:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 7:32 [PATCH net] nfnetlink_osf: validate individual option lengths in fingerprints bestswngs
2026-03-19 7:54 ` Florian Westphal
2026-03-19 7:55 ` Greg KH
2026-03-19 8:04 ` Florian Westphal
2026-03-19 8:26 ` Weiming Shi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abuzU_JBGITyp0yo@SLSGDTSWING002 \
--to=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox