| Message ID | 20210610164031.3412479-3-maximmi@nvidia.com (mailing list archive) |
|---|---|
| State | Mainlined, archived |
| Delegated to: | Matthieu Baerts |
| Headers | show |
| Series | Fix out of bounds when parsing TCP options | expand |
On Thu, 10 Jun 2021, Maxim Mikityanskiy wrote: > The TCP option parser in mptcp (mptcp_get_options) could read one byte > out of bounds. When the length is 1, the execution flow gets into the > loop, reads one byte of the opcode, and if the opcode is neither > TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the > length of 1. > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack > out of bounds when parsing TCP options."). > > Cc: Young Xiao <92siuyang@gmail.com> > Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> > Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> > --- > net/mptcp/options.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/mptcp/options.c b/net/mptcp/options.c > index 6b825fb3fa83..9b263f27ce9b 100644 > --- a/net/mptcp/options.c > +++ b/net/mptcp/options.c > @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb, > length--; > continue; > default: > + if (length < 2) > + return; > opsize = *ptr++; > if (opsize < 2) /* "silly options" */ > return; > -- > 2.25.1 Matthieu - Could you apply this in mptcp_net-next so it's easier to track when the patch finds its way to net-next? (MPTCP patchwork status set to "queued") Thanks! -- Mat Martineau Intel
On Thu, 10 Jun 2021, Mat Martineau wrote: > On Thu, 10 Jun 2021, Maxim Mikityanskiy wrote: > >> The TCP option parser in mptcp (mptcp_get_options) could read one byte >> out of bounds. When the length is 1, the execution flow gets into the >> loop, reads one byte of the opcode, and if the opcode is neither >> TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the >> length of 1. >> >> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack >> out of bounds when parsing TCP options."). >> >> Cc: Young Xiao <92siuyang@gmail.com> >> Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing >> connections") >> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> >> Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> >> --- >> net/mptcp/options.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/net/mptcp/options.c b/net/mptcp/options.c >> index 6b825fb3fa83..9b263f27ce9b 100644 >> --- a/net/mptcp/options.c >> +++ b/net/mptcp/options.c >> @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb, >> length--; >> continue; >> default: >> + if (length < 2) >> + return; >> opsize = *ptr++; >> if (opsize < 2) /* "silly options" */ >> return; >> -- >> 2.25.1 > > Matthieu - > > Could you apply this in mptcp_net-next so it's easier to track when the patch > finds its way to net-next? > > (MPTCP patchwork status set to "queued") And to clarify for Maxim: we have a separate MPTCP git tree where we stage MPTCP changes before submitting to net- or net-next. For your patch set that has related changes across a few networking subsystems, sending directly to netdev is the best thing to do. We do have other queued changes for netdev so I think it would work well to include this patch in our tree now, and it will automatically disappear once it is fully merged upstream. Sometimes it takes a couple of weeks for the net/master branch to get merged in to net-next/master. -- Mat Martineau Intel
Hi Mat, On 10/06/2021 23:03, Mat Martineau wrote: > On Thu, 10 Jun 2021, Maxim Mikityanskiy wrote: > >> The TCP option parser in mptcp (mptcp_get_options) could read one byte >> out of bounds. When the length is 1, the execution flow gets into the >> loop, reads one byte of the opcode, and if the opcode is neither >> TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the >> length of 1. >> >> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack >> out of bounds when parsing TCP options."). >> >> Cc: Young Xiao <92siuyang@gmail.com> >> Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing >> connections") >> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> >> Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> > > Matthieu - > > Could you apply this in mptcp_net-next so it's easier to track when the > patch finds its way to net-next? Sure, good idea! Thank you for the patch and the review! Just applied in our tree: - fdd037a5564a: mptcp: Fix out of bounds when parsing TCP options - Results: 083034593cec..1ba3eb627299 Builds and tests are now in progress: https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20210611T142646 https://github.com/multipath-tcp/mptcp_net-next/actions/workflows/build-validation.yml?query=branch:export/20210611T142646 Cheers, Matt
diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 6b825fb3fa83..9b263f27ce9b 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb, length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return;
The TCP option parser in mptcp (mptcp_get_options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). Cc: Young Xiao <92siuyang@gmail.com> Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> --- net/mptcp/options.c | 2 ++ 1 file changed, 2 insertions(+)