Young Xiao 9609dad263 ipv4: tcp_input: fix stack out of bounds when parsing TCP options. ...

The TCP option parsing routines in tcp_parse_options function could
read one byte out of the buffer of the TCP options.

1         while (length > 0) {
2                 int opcode = *ptr++;
3                 int opsize;
4
5                 switch (opcode) {
6                 case TCPOPT_EOL:
7                         return;
8                 case TCPOPT_NOP:        /* Ref: RFC 793 section 3.1 */
9                         length--;
10                        continue;
11                default:
12                        opsize = *ptr++; //out of bound access

If length = 1, then there is an access in line2.
And another access is occurred in line 12.
This would lead to out-of-bound access.

Therefore, in the patch we check that the available data length is
larger enough to pase both TCP option code and size.

Signed-off-by: Young Xiao <92siuyang@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2019-05-30 12:32:47 -07:00

..

bpfilter

SPDX update for 5.2-rc2, round 1

2019-05-21 12:33:38 -07:00

netfilter

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

2019-05-23 14:45:36 -07:00

af_inet.c

net: rework SIOCGSTAMP ioctl handling

2019-04-19 14:07:40 -07:00

ah4.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

arp.c

net: Evict neighbor entries on carrier down

2018-10-12 09:47:39 -07:00

cipso_ipv4.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13

2019-05-21 11:28:45 +02:00

datagram.c

ipv4: Allow sending multicast packets on specific i/f using VRF socket

2018-10-02 22:28:17 -07:00

devinet.c

netlink: make validation more configurable for future strictness

2019-04-27 17:07:21 -04:00

esp4_offload.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-05-02 22:14:21 -04:00

esp4.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

fib_frontend.c

netlink: make validation more configurable for future strictness

2019-04-27 17:07:21 -04:00

fib_lookup.h

ipv4: Add fib_nh_common to fib_result

2019-04-03 21:50:20 -07:00

fib_notifier.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

fib_rules.c

ipv4: fib_rules: Fix possible infinite loop in fib_empty_table

2018-12-30 12:57:04 -08:00

fib_semantics.c

ipv4: Move exception bucket to nh_common

2019-05-05 00:47:16 -07:00

fib_trie.c

ipv4: Add fib_nh_common to fib_result

2019-04-03 21:50:20 -07:00

fou.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

gre_demux.c

net: ip_gre: use erspan key field for tunnel lookup

2019-01-22 11:52:17 -08:00

gre_offload.c

Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net

2018-07-03 10:29:26 +09:00

icmp.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-03-02 12:54:35 -08:00

igmp.c

ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST

2019-05-22 22:08:06 -07:00

inet_connection_sock.c

ipv4: Prepare rtable for IPv6 gateway

2019-04-08 15:22:40 -07:00

inet_diag.c

inet_diag: fix reporting cgroup classid and fallback to priority

2019-02-12 13:35:57 -05:00

inet_fragment.c

net: remove unused struct inet_frag_queue.fragments field

2019-02-26 08:27:05 -08:00

inet_hashtables.c

net: dccp: fix kernel crash on module load

2018-12-24 15:27:56 -08:00

inet_timewait_sock.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

inetpeer.c

net: ipv4: use a dedicated counter for icmp_v4 redirect packets

2019-02-08 21:50:15 -08:00

ip_forward.c

ipv4: Prepare rtable for IPv6 gateway

2019-04-08 15:22:40 -07:00

ip_fragment.c

net: remove unused struct inet_frag_queue.fragments field

2019-02-26 08:27:05 -08:00

ip_gre.c

net: ip_gre: fix possible use-after-free in erspan_rcv

2019-04-08 16:16:47 -07:00

ip_input.c

net: use indirect calls helpers at early demux stage

2019-05-05 10:38:04 -07:00

ip_options.c

vrf: check accept_source_route on the original netdevice

2019-04-01 10:44:58 -07:00

ip_output.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

ip_sockglue.c

ip_sockglue: Fix missing-check bug in ip_ra_control()

2019-05-25 11:00:50 -07:00

ip_tunnel_core.c

netlink: make validation more configurable for future strictness

2019-04-27 17:07:21 -04:00

ip_tunnel.c

iptunnel: NULL pointer deref for ip_md_tunnel_xmit

2019-03-06 10:43:06 -08:00

ip_vti.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-05-02 22:14:21 -04:00

ipcomp.c

net-ipv4: remove 2 always zero parameters from ipv4_redirect()

2018-09-26 20:30:55 -07:00

ipconfig.c

ipconfig: add carrier_timeout kernel parameter

2019-02-01 15:24:13 -08:00

ipip.c

ip_tunnel: Add tnl_update_pmtu in ip_md_tunnel_xmit

2019-01-26 09:43:03 -08:00

ipmr_base.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-05-07 17:22:09 -07:00

ipmr.c

netlink: make validation more configurable for future strictness

2019-04-27 17:07:21 -04:00

Kconfig

treewide: Add SPDX license identifier - Makefile/Kconfig

2019-05-21 10:50:46 +02:00

Makefile

xfrm: make xfrm modes builtin

2019-04-08 09:15:17 +02:00

metrics.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

netfilter.c

netfilter: ipv4: remove useless export_symbol

2019-01-28 11:32:58 +01:00

netlink.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

ping.c

net: Treat sock->sk_drops as an unsigned int when printing

2019-05-19 10:31:10 -07:00

proc.c

tcp: implement coalescing on backlog queue

2018-11-30 13:26:54 -08:00

protocol.c

fou, fou6: ICMP error handlers for FoU and GUE

2018-11-08 17:13:08 -08:00

raw_diag.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

raw.c

net: Treat sock->sk_drops as an unsigned int when printing

2019-05-19 10:31:10 -07:00

route.c

ipv4: Move exception bucket to nh_common

2019-05-05 00:47:16 -07:00

syncookies.c

tcp: free request sock directly upon TFO or syncookies error

2019-03-19 14:13:01 -07:00

sysctl_net_ipv4.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-04-25 23:52:29 -04:00

tcp_bbr.c

tcp_bbr: adapt cwnd based on ack aggregation estimation

2019-01-24 22:27:27 -08:00

tcp_bic.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_bpf.c

bpf, tcp: correctly handle DONT_WAIT flags and timeo == 0

2019-05-16 01:36:13 +02:00

tcp_cdg.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_cong.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

tcp_cubic.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_dctcp.c

dctcp: more accurate tracking of packets delivery

2019-04-11 21:31:03 -07:00

tcp_dctcp.h

tcp: refactor DCTCP ECN ACK handling

2018-10-10 22:26:00 -07:00

tcp_diag.c

net: sock: replace sk_state_load with inet_sk_state_load and remove sk_state_store

2017-12-20 14:00:25 -05:00

tcp_fastopen.c

tcp: pause Fast Open globally after third consecutive timeout

2017-12-13 15:51:12 -05:00

tcp_highspeed.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_htcp.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_hybla.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_illinois.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_input.c

ipv4: tcp_input: fix stack out of bounds when parsing TCP options.

2019-05-30 12:32:47 -07:00

tcp_ipv4.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-05-02 22:14:21 -04:00

tcp_lp.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_metrics.c

tcp: refactor setting the initial congestion window

2019-05-01 11:47:54 -04:00

tcp_minisocks.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

tcp_nv.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_offload.c

net: use indirect call wrappers at GRO transport layer

2018-12-15 13:23:02 -08:00

tcp_output.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

tcp_rate.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

tcp_recovery.c

tcp: introduce tcp_skb_timestamp_us() helper

2018-09-21 19:37:59 -07:00

tcp_scalable.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_timer.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

tcp_ulp.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

tcp_vegas.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_vegas.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

tcp_veno.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_westwood.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp_yeah.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

tcp.c

tcp: do not recycle cloned skbs

2019-05-15 09:22:41 -07:00

tunnel4.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

udp_diag.c

net: diag: document swapped src/dst in udp_dump_one.

2018-10-28 19:27:21 -07:00

udp_impl.h

udp: add missing rehash callback to udplite

2019-01-17 15:01:08 -08:00

udp_offload.c

udp: fix GRO packet of death

2019-05-01 22:29:56 -04:00

udp_tunnel.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

udp.c

net: Treat sock->sk_drops as an unsigned int when printing

2019-05-19 10:31:10 -07:00

udplite.c

udp: add missing rehash callback to udplite

2019-01-17 15:01:08 -08:00

xfrm4_input.c

xfrm: reset transport header back to network header after all input transforms ahave been applied

2018-09-04 10:26:30 +02:00

xfrm4_output.c

xfrm: store xfrm_mode directly, not its address

2019-04-08 09:15:28 +02:00

xfrm4_policy.c

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

2019-04-30 09:26:13 -04:00

xfrm4_protocol.c

xfrm: remove unneeded export_symbols

2019-04-23 07:42:20 +02:00

xfrm4_state.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

xfrm4_tunnel.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00