From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary
Date: Wed, 15 May 2013 15:59:35 +0200 [thread overview]
Message-ID: <20130515135935.GA1605@localhost> (raw)
In-Reply-To: <20130515123336.GE18095@breakpoint.cc>
On Wed, May 15, 2013 at 02:33:36PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > This target assumes that tcph->doff is well-formed, that may be well
> > not the case. Add extra sanity checkings to avoid possible crash due
> > to read/write out of the real packet boundary.
>
> > static unsigned int
> > tcpoptstrip_mangle_packet(struct sk_buff *skb,
> > - const struct xt_tcpoptstrip_target_info *info,
> > + const struct xt_action_param *par,
> > unsigned int tcphoff, unsigned int minlen)
> > {
> > + const struct xt_tcpoptstrip_target_info *info = par->targinfo;
> > unsigned int optl, i, j;
> > struct tcphdr *tcph;
> > u_int16_t n, o;
> > u_int8_t *opt;
> > + int len;
> > +
> [..]
> > + len = skb->len - tcphoff;
> > + if (len < sizeof(struct tcphdr))
>
> I think this needs a cast 'if (len < (int) sizeof( ...?
I'm not hitting any compilation warning.
> > @@ -51,7 +67,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
> > for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) {
> > optl = optlen(opt, i);
> >
> > - if (i + optl > tcp_hdrlen(skb))
> > + if (i + optl > len)
> > break;
>
> I don't understand this change. This should stop parsing if the
> option length points outside of the tcp option size.
>
> But doesn't len include the size of the actual payload?
We already validated a bit above that there's room for the TCP
options in the packet.
/* Truncated TCP options, skip */
if ((tcp_hdr(skb)->doff - 5) * 4 > len - sizeof(struct tcphdr))
return NF_DROP;
So after that point we can trust the tcph->doff field.
Therefore, you're right, I'll remove that change. Thanks.
next prev parent reply other threads:[~2013-05-15 13:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-15 12:05 [PATCH] netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary Pablo Neira Ayuso
2013-05-15 12:33 ` Florian Westphal
2013-05-15 13:59 ` Pablo Neira Ayuso [this message]
2013-05-15 14:48 ` Florian Westphal
2013-05-15 15:10 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130515135935.GA1605@localhost \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).