On Sun, 2012-04-01 at 23:29 -0400, David Miller wrote: > From: Eric Dumazet <eric.dumazet@xxxxxxxxx> > Date: Mon, 02 Apr 2012 05:19:33 +0200 > > >> @@ -3845,6 +3845,8 @@ void tcp_parse_options(const struct sk_buff *skb, struct tcp_options_received *o > >> length--; > >> continue; > >> default: > >> + if (length < 2) > >> + return; > >> opsize = *ptr++; > >> if (opsize < 2) /* "silly options" */ > >> return; > > > > Acked-by: Eric Dumazet <eric.dumazet@xxxxxxxxx> > > Tag Eric, you're it. > > You ACK'd this patch, so you get to show how this is actually able > to cause some kind of problem. > > I assert that this is adding a useless test, that doesn't fix any kind > of possible crash or misbehavior. If length == 1 at the default:, the > code will absolutely do the right thing. > > Prove me wrong. No problem. You can have NOP,NOP,NOP,EVIL-OPTION initial length=4 (multiple of 4) We can read 5 bytes, and access 'out of bound' memory. Usually not a problem since we have many bytes after our head. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
