[Bug 738] reading beyond buffer limits in nf_conntrack_proto_tcp.c::tcp_options()

Sun Aug 21 20:00:22 CEST 2011

http://bugzilla.netfilter.org/show_bug.cgi?id=738


--- Comment #2 from Michael M. Builov <mbuilov at gmail.com>  2011-08-21 20:00:22 ---
sorry, one more note for linux-3.0.1/net/netfilter/nf_conntrack_proto_tcp.c not
related to reported bug:

 434 static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
 435                      const struct tcphdr *tcph, __u32 *sack)
 436 {
 437     unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
 438     const unsigned char *ptr;
 439     int length = (tcph->doff*4) - sizeof(struct tcphdr);
....
 441
 449     /* Fast path for timestamp-only option */
 450     if (length == TCPOLEN_TSTAMP_ALIGNED*4

at line 450 there is wrong multiplication of TCPOLEN_TSTAMP_ALIGNED by 4.
Maximum length value is 40, but TCPOLEN_TSTAMP_ALIGNED*4 == 12*4 == 48.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.