[Bug 738] New: reading beyond buffer limits in nf_conntrack_proto_tcp.c::tcp_options()
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Sun Aug 21 17:39:09 CEST 2011
http://bugzilla.netfilter.org/show_bug.cgi?id=738
Summary: reading beyond buffer limits in
nf_conntrack_proto_tcp.c::tcp_options()
Product: netfilter/iptables
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: nf_conntrack
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: mbuilov at gmail.com
Estimated Hours: 0.0
Incorrect handling of invalid TCP option with too big opsize may lead to read
access beyond tcp-packet or buffer allocated on stack.
in net/netfilter/nf_conntrack_proto_tcp.c:
397 while (length > 0) {
398 int opcode=*ptr++;
399 int opsize;
400
401 switch (opcode) {
402 case TCPOPT_EOL:
403 return;
404 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
405 length--;
406 continue;
407 default:
408 opsize=*ptr++;
409 if (opsize < 2) /* "silly options" */
410 return;
411 if (opsize > length)
412 break; /* don't parse partial options */
....
428 ptr += opsize - 2;
429 length -= opsize;
430 }
431 }
doing 'break' at line 412 we forget to decrement 'length'.
Also, there is a question: why 'break' and not just 'return'?
Comment for tcp_options() says that it is a "Simplified tcp_parse_options
routine from tcp_input.c", but tcp_parse_options() does 'return' in case of
"partial options".
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
More information about the netfilter-buglog
mailing list