On Mon, 2016-03-28 at 15:29 -0400, David Miller wrote: > From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> > Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST) > > >> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb, > >> > > length--; > >> > > continue; > >> > > default: > >> > > + if (length < 2) > >> > > + return; > >> > > opsize = *ptr++; > >> > > if (opsize < 2) /* "silly options" */ > >> > > return; > > I'm trying to figure out how this can even matter. > > If we are in the loop, length is at least one. > > That means it is legal to read the opsize byte. > > By the next check, opsize is at least 2. > > And then the very next line in this code makes sure length >= opsize: > > if (opsize > length) > return; /* don't parse partial options */ > > Therefore no out-of-range access is possible as far as I can see. Maybe use kasan_disable_current() and kasan_enable_current() to silence kasan ? Oh wait, these are not BH safe. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
