APPLIED[T]: [CVE-2017-18017][Trusty][Zesty][PATCH 1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
Stefan Bader
stefan.bader at canonical.com
Fri Feb 2 09:57:40 UTC 2018
On 09.01.2018 04:30, Po-Hsu Lin wrote:
> From: Eric Dumazet <edumazet at google.com>
>
> CVE-2017-18017
>
> Denys provided an awesome KASAN report pointing to an use
> after free in xt_TCPMSS
>
> I have provided three patches to fix this issue, either in xt_TCPMSS or
> in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
> impact.
>
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Reported-by: Denys Fedoryshchenko <nuclearcat at nuclearcat.com>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
> net/netfilter/xt_TCPMSS.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
> index e762de5..6531d70 100644
> --- a/net/netfilter/xt_TCPMSS.c
> +++ b/net/netfilter/xt_TCPMSS.c
> @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
> tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
> tcp_hdrlen = tcph->doff * 4;
>
> - if (len < tcp_hdrlen)
> + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
> return -1;
>
> if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
> @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
> if (len > tcp_hdrlen)
> return 0;
>
> + /* tcph->doff has 4 bits, do not wrap it to 0 */
> + if (tcp_hdrlen >= 15 * 4)
> + return 0;
> +
> /*
> * MSS Option not found ?! add it..
> */
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180202/cb228766/attachment.sig>
More information about the kernel-team
mailing list