Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> This target assumes that tcph->doff is well-formed, that may be well
> not the case. Add extra sanity checkings to avoid possible crash due
> to read/write out of the real packet boundary.
> static unsigned int
> tcpoptstrip_mangle_packet(struct sk_buff *skb,
> - const struct xt_tcpoptstrip_target_info *info,
> + const struct xt_action_param *par,
> unsigned int tcphoff, unsigned int minlen)
> {
> + const struct xt_tcpoptstrip_target_info *info = par->targinfo;
> unsigned int optl, i, j;
> struct tcphdr *tcph;
> u_int16_t n, o;
> u_int8_t *opt;
> + int len;
> +
[..]
> + len = skb->len - tcphoff;
> + if (len < sizeof(struct tcphdr))
I think this needs a cast 'if (len < (int) sizeof( ...?
> @@ -51,7 +67,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
> for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) {
> optl = optlen(opt, i);
>
> - if (i + optl > tcp_hdrlen(skb))
> + if (i + optl > len)
> break;
I don't understand this change. This should stop parsing if the
option length points outside of the tcp option size.
But doesn't len include the size of the actual payload?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
