[Bug 1113] New: integer overflow in xt_TCPMSS

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jan 19 06:34:54 CET 2017


https://bugzilla.netfilter.org/show_bug.cgi?id=1113

            Bug ID: 1113
           Summary: integer overflow in xt_TCPMSS
           Product: netfilter/iptables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ip_tables (kernel)
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: kondratev.pavel at gmail.com

Created attachment 491
  --> https://bugzilla.netfilter.org/attachment.cgi?id=491&action=edit
patch 1

integer overflow in module when use ppp interfaces (may be not specific) and
broken packets (special generated)

--- /home/pavel/make/linux-3.16.39/net/netfilter/xt_TCPMSS.c    2016-11-20
06:17:41.000000000 +0500
+++ ./xt_TCPMSS.c    2016-04-05 13:32:05.000000000 +0500
@@ -126,7 +126,7 @@
         newmss = info->mss;

     opt = (u_int8_t *)tcph;
-    for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i +=
optlen(opt, i)) {
+    for (i = sizeof(struct tcphdr); i + TCPOLEN_MSS <= tcp_hdrlen; i +=
optlen(opt, i)) {
         if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) {
             u_int16_t oldmss;

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170119/963b8361/attachment.html>


More information about the netfilter-buglog mailing list