Skip to content

Commit

Permalink
mptcp: Fix out of bounds when parsing TCP options
Browse files Browse the repository at this point in the history 
The TCP option parser in mptcp (mptcp_get_options) could read one byte
out of bounds. When the length is 1, the execution flow gets into the
loop, reads one byte of the opcode, and if the opcode is neither
TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the
length of 1.

This fix is inspired by commit 9609dad ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").

Cc: Young Xiao <92siuyang@gmail.com>
Fixes: cec37a6 ("mptcp: Handle MP_CAPABLE options for outgoing connections")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
  • Loading branch information
@nvmmax @matttbe
nvmmax authored and matttbe committed Jun 17, 2021
1 parent 67af55e commit f530cb1
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/mptcp/options.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb,
length--;
continue;
default:
if (length < 2)
return;
opsize = *ptr++;
if (opsize < 2) /* "silly options" */
return;
Expand Down

0 comments on commit f530cb1

Please sign in to comment.