<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - integer overflow in xt_TCPMSS"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1113">1113</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>integer overflow in xt_TCPMSS
</td>
</tr>
<tr>
<th>Product</th>
<td>netfilter/iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>ip_tables (kernel)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>kondratev.pavel@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=491" name="attach_491" title="patch 1">attachment 491</a> <a href="attachment.cgi?id=491&action=edit" title="patch 1">[details]</a></span>
patch 1
integer overflow in module when use ppp interfaces (may be not specific) and
broken packets (special generated)
--- /home/pavel/make/linux-3.16.39/net/netfilter/xt_TCPMSS.c 2016-11-20
06:17:41.000000000 +0500
+++ ./xt_TCPMSS.c 2016-04-05 13:32:05.000000000 +0500
@@ -126,7 +126,7 @@
newmss = info->mss;
opt = (u_int8_t *)tcph;
- for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i +=
optlen(opt, i)) {
+ for (i = sizeof(struct tcphdr); i + TCPOLEN_MSS <= tcp_hdrlen; i +=
optlen(opt, i)) {
if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) {
u_int16_t oldmss;</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>