[SRU][F:linux-bluefield][PATCH 17/21] netfilter: synproxy: Fix out of bounds when parsing TCP options

Bodong Wang bodong at nvidia.com
Mon Jul 5 15:39:55 UTC 2021

From: Maxim Mikityanskiy <maximmi at nvidia.com>

BugLink: https://bugs.launchpad.net/bugs/1934499

The TCP option parser in synproxy (synproxy_parse_options) could read
one byte out of bounds. When the length is 1, the execution flow gets
into the loop, reads one byte of the opcode, and if the opcode is
neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
the length of 1.

This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").

v2 changes:

Added an early return when length < 0 to avoid calling
skb_header_pointer with negative length.

Cc: Young Xiao <92siuyang at gmail.com>
Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
Signed-off-by: Maxim Mikityanskiy <maximmi at nvidia.com>
Reviewed-by: Florian Westphal <fw at strlen.de>
Signed-off-by: David S. Miller <davem at davemloft.net>
Reviewed-by: Tariq Toukan <tariqt at nvidia.com>
(cherry picked from commit 5fc177ab759418c9537433e63301096e733fb915)
Signed-off-by: Bodong Wang <bodong at nvidia.com>
 net/netfilter/nf_synproxy_core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 4bb4cfd..c6c0d27 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -31,6 +31,9 @@
 	int length = (th->doff * 4) - sizeof(*th);
 	u8 buf[40], *ptr;
+	if (unlikely(length < 0))
+		return false;
 	ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
 	if (ptr == NULL)
 		return false;
@@ -47,6 +50,8 @@
+			if (length < 2)
+				return true;
 			opsize = *ptr++;
 			if (opsize < 2)
 				return true;

More information about the kernel-team mailing list