[net,v2,0/3] Fix out of bounds when parsing TCP options

Message

Maxim Mikityanskiy June 10, 2021, 4:40 p.m. UTC

This series fixes out-of-bounds access in various places in the kernel
where parsing of TCP options takes place. Fortunately, many more
occurrences don't have this bug.

v2 changes:

synproxy: Added an early return when length < 0 to avoid calling
skb_header_pointer with negative length.

sch_cake: Added doff validation to avoid parsing garbage.

Maxim Mikityanskiy (3):
  netfilter: synproxy: Fix out of bounds when parsing TCP options
  mptcp: Fix out of bounds when parsing TCP options
  sch_cake: Fix out of bounds when parsing TCP options and header

 net/mptcp/options.c              | 2 ++
 net/netfilter/nf_synproxy_core.c | 5 +++++
 net/sched/sch_cake.c             | 6 +++++-
 3 files changed, 12 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org June 10, 2021, 9:50 p.m. UTC | #1

Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Thu, 10 Jun 2021 19:40:28 +0300 you wrote:
> This series fixes out-of-bounds access in various places in the kernel
> where parsing of TCP options takes place. Fortunately, many more
> occurrences don't have this bug.
> 
> v2 changes:
> 
> synproxy: Added an early return when length < 0 to avoid calling
> skb_header_pointer with negative length.
> 
> [...]

Here is the summary with links:
  - [net,v2,1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options
    https://git.kernel.org/netdev/net/c/5fc177ab7594
  - [net,v2,2/3] mptcp: Fix out of bounds when parsing TCP options
    https://git.kernel.org/netdev/net/c/07718be26568
  - [net,v2,3/3] sch_cake: Fix out of bounds when parsing TCP options and header
    https://git.kernel.org/netdev/net/c/ba91c49dedbd

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html