From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94AE1C4360F for ; Fri, 22 Mar 2019 13:10:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5BC5921917 for ; Fri, 22 Mar 2019 13:10:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553260231; bh=JOWNQszS5ulCNgvrClVHzhkcQxXuTyw8zYNo0FJHzBM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=YBLcZtODUyfs2WPknMWlFb8aEYs2fnnemO4FudZdh5re0IE32QaO7YjxMPAPo5H4k FLth/TKsK1AMVv31B+hG4DmLy3+HuvFspqlW0HoIudBGGxNIQ2BECbamVCfVv9P5EQ Png4dDwy6dcWRnB7fBRhbw87wCmds92snpaY6Jw0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729490AbfCVNKY (ORCPT ); Fri, 22 Mar 2019 09:10:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:34712 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730366AbfCVLeI (ORCPT ); Fri, 22 Mar 2019 07:34:08 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7C5BA2183E; Fri, 22 Mar 2019 11:34:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553254448; bh=JOWNQszS5ulCNgvrClVHzhkcQxXuTyw8zYNo0FJHzBM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c/KS1jCi//5s+56ajKnbATu7o5gcyY77MFPlQMKJhoo9tQJagf51RQnVTsDhesILC 9Dz09LUNl0J+c+iZDx3RtF3d3iJUnyaGKcAvAEOq5RwxbeDD6ohU/GJbXXz1rZArcx GUAeRSWeXVTKzxpCgfY6xJfuQpt7CkFZMXbwd+qw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Baozeng Ding , Jozsef Kadlecsik , Pablo Neira Ayuso , Zubin Mithra Subject: [PATCH 4.4 123/230] netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options Date: Fri, 22 Mar 2019 12:14:21 +0100 Message-Id: <20190322111245.302225293@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111236.796964179@linuxfoundation.org> References: <20190322111236.796964179@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jozsef Kadlecsik commit 644c7e48cb59cfc6988ddc7bf3d3b1ba5fe7fa9d upstream. Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that the TCP option parsing routines in netfilter TCP connection tracking could read one byte out of the buffer of the TCP options. Therefore in the patch we check that the available data length is large enough to parse both TCP option code and size. Reported-by: Baozeng Ding Tested-by: Baozeng Ding Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Cc: Zubin Mithra Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_conntrack_proto_tcp.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -410,6 +410,8 @@ static void tcp_options(const struct sk_ length--; continue; default: + if (length < 2) + return; opsize=*ptr++; if (opsize < 2) /* "silly options" */ return; @@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buf length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return;