From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D555C3A353D; Sat, 28 Feb 2026 17:37:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772300266; cv=none; b=VX5pCGpJANNKTVoRX2Jck6NpQl5Icjv+XuU0okjyQwzDynZNz3T1B09LmXlJYYijfDr672yP3ahzbXUZqyP8Ogk8a/ORZnrMxATdfESwLZHug75H//YMhazYQ//X0eNBab22jRjt6C8srG5KCKAtsKZ/QNjSsvwZnFzYIXtc+jw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772300266; c=relaxed/simple; bh=pFE7KMqNgpCOcihLdheVtz6wir2jtJW5f5QbLKUawRM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Qr/eB5ceiQ3effC7l+9YpZ31ceVls7K1OhhUwIhaO7HomdKKlsZ0igbl6JqZKwtIFspuUZM8xIYljqsfh0rUk0FYWC7QYp/DdRiwbJnDjspOw7EgLuZ/ovD3t8HoEmYfxqGGT7UvMN6C+z84hf3UExp8IHNVxBKwTNMGh/tO68E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=sORh0V0r; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="sORh0V0r" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9BBFC19424; Sat, 28 Feb 2026 17:37:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772300266; bh=pFE7KMqNgpCOcihLdheVtz6wir2jtJW5f5QbLKUawRM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sORh0V0rclTfo1N39C84nhfl+1o7Hw7maohE7KXDqsjFy0+UQscesJ7ItOqc0EnOS dzcadjpLP/FkjjvbVaxksSJVHvcFRfgbxN54mbB8+w2kDc3Ym4E6NMWnQUNWc7g+w/ dflNAK0Mi/6VhN1I3/EccgfazEEbNAq94XefzqUpZ+RlCtBbli7PG7Z+jBwoMmZuw/ E0pNGnuBIaDvZxNhhFxxEckBlIr2BVLGqUccTo8HNzNfrsGzNwr+WJw58acKApxsbV SL5BF1d2TKZIuYaQshHKSnofumynd5pna+X5gGFtoSOV+rVfzUvWWMvb9ghEx8Gc4y s2tqkynWq2NpQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Florian Westphal , sungzii , Sasha Levin Subject: [PATCH 6.19 292/844] netfilter: xt_tcpmss: check remaining length before reading optlen Date: Sat, 28 Feb 2026 12:23:25 -0500 Message-ID: <20260228173244.1509663-293-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260228173244.1509663-1-sashal@kernel.org> References: <20260228173244.1509663-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit From: Florian Westphal [ Upstream commit 735ee8582da3d239eb0c7a53adca61b79fb228b3 ] Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). Reported-by: sungzii Signed-off-by: Florian Westphal Signed-off-by: Sasha Levin --- net/netfilter/xt_tcpmss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c index 37704ab017992..0d32d4841cb32 100644 --- a/net/netfilter/xt_tcpmss.c +++ b/net/netfilter/xt_tcpmss.c @@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par) return (mssval >= info->mss_min && mssval <= info->mss_max) ^ info->invert; } - if (op[i] < 2) + if (op[i] < 2 || i == optlen - 1) i++; else i += op[i+1] ? : 1; -- 2.51.0