On Wed, Jun 21, 2023 at 05:56:53PM +0200, Florian Westphal wrote: > Eric Dumazet says: > nf_conntrack_dccp_packet() has an unique: > > dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); > > And nothing more is 'pulled' from the packet, depending on the content. > dh->dccph_doff, and/or dh->dccph_x ...) > So dccp_ack_seq() is happily reading stuff past the _dh buffer. > > BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 > Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 > [..] > > Fix this by increasing the stack buffer to also include room for > the extra sequence numbers and all the known dccp packet type headers, > then pull again after the initial validation of the basic header. > > While at it, mark packets invalid that lack 48bit sequence bit but > where RFC says the type MUST use them. > > Compile tested only. Applied to nf.git, thanks
