[Bug 738] reading beyond buffer limits in nf_conntrack_proto_tcp.c::tcp_options()
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Mon Aug 22 01:05:26 CEST 2011
http://bugzilla.netfilter.org/show_bug.cgi?id=738
--- Comment #3 from Michael M. Builov <mbuilov at gmail.com> 2011-08-22 01:05:26 ---
and in linux-3.0.3/net/netfilter/nf_conntrack_proto_tcp.c at lines 408 and 469
of 'length' is not checked before reading 'optsize' ('length' should be >= 2):
407 default:
408 opsize=*ptr++;
409 if (opsize < 2) /* "silly options" */
...
467 default:
468 opsize = *ptr++;
469 if (opsize < 2) /* "silly options" */
as like in linux-3.0.3/net/ipv4/tcp_input.c at line 3768:
3767 default:
3768 opsize = *ptr++;
3769 if (opsize < 2) /* "silly options" */
3770 return;
This is definitely access out of malformed packet bounds.
May be not fatal, but looks inaccurate.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
More information about the netfilter-buglog
mailing list