AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-02-20 17:07:23 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity

netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary

Browse Source 
This target assumes that tcph->doff is well-formed, that may be well
not the case. Add extra sanity checkings to avoid possible crash due
to read/write out of the real packet boundary. After this patch, the
default action on malformed TCP packets is to drop them. Moreover,
fragments are skipped.

Reported-by: Rafal Kupka <rkupka@telemetry.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2013-05-07 03:22:18 +02:00
parent 8cdb46da06
commit bc6bcb59dd
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
net/netfilter/xt_TCPOPTSTRIP.c
View File

@ -30,17 +30,28 @@ static inline unsigned int optlen(const u_int8_t *opt, unsigned int offset)
static unsigned int static unsigned int
tcpoptstrip_mangle_packet(struct sk_buff *skb, tcpoptstrip_mangle_packet(struct sk_buff *skb,
const struct xt_tcpoptstrip_target_info *info, const struct xt_action_param *par,
unsigned int tcphoff, unsigned int minlen) unsigned int tcphoff, unsigned int minlen)
{ {
const struct xt_tcpoptstrip_target_info *info = par->targinfo;
unsigned int optl, i, j; unsigned int optl, i, j;
struct tcphdr *tcph; struct tcphdr *tcph;
u_int16_t n, o; u_int16_t n, o;
u_int8_t *opt; u_int8_t *opt;
int len;
/* This is a fragment, no TCP header is available */
if (par->fragoff != 0)
return XT_CONTINUE;
if (!skb_make_writable(skb, skb->len)) if (!skb_make_writable(skb, skb->len))
return NF_DROP; return NF_DROP;
len = skb->len - tcphoff;
if (len < (int)sizeof(struct tcphdr) ||
tcp_hdr(skb)->doff * 4 > len)
return NF_DROP;
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
opt = (u_int8_t *)tcph; opt = (u_int8_t *)tcph;
@ -76,7 +87,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
static unsigned int static unsigned int
tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par) tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{ {
return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb), return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb),
sizeof(struct iphdr) + sizeof(struct tcphdr)); sizeof(struct iphdr) + sizeof(struct tcphdr));
} }
@ -94,7 +105,7 @@ tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
if (tcphoff < 0) if (tcphoff < 0)
return NF_DROP; return NF_DROP;
return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff, return tcpoptstrip_mangle_packet(skb, par, tcphoff,
sizeof(*ipv6h) + sizeof(struct tcphdr)); sizeof(*ipv6h) + sizeof(struct tcphdr));
} }
#endif #endif