Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Maxim Mikityanskiy <maximmi@nvidia.com>
Cc: "Florian Westphal" <fw@strlen.de>,
	"Mat Martineau" <mathew.j.martineau@linux.intel.com>,
	"Matthieu Baerts" <matthieu.baerts@tessares.net>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	"Pablo Neira Ayuso" <pablo@netfilter.org>,
	"Jozsef Kadlecsik" <kadlec@netfilter.org>,
	"Toke Høiland-Jørgensen" <toke@toke.dk>,
	"Jamal Hadi Salim" <jhs@mojatatu.com>,
	"Cong Wang" <xiyou.wangcong@gmail.com>,
	"Jiri Pirko" <jiri@resnulli.us>,
	"Patrick McHardy" <kaber@trash.net>,
	"Jesper Dangaard Brouer" <brouer@redhat.com>,
	"Paolo Abeni" <pabeni@redhat.com>,
	"Christoph Paasch" <cpaasch@apple.com>,
	"Peter Krystad" <peter.krystad@linux.intel.com>,
	"Young Xiao" <92siuyang@gmail.com>,
	netdev@vger.kernel.org
Subject: Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options
Date: Thu, 10 Jun 2021 10:56:07 +0200	[thread overview]
Message-ID: <20210610085607.GN20020@breakpoint.cc> (raw)
In-Reply-To: <4ec99ea3-6ab1-eee4-be60-992cf2f9cd45@nvidia.com>

Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> On 2021-06-09 17:51, Florian Westphal wrote:
> > Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> > > The TCP option parser in synproxy (synproxy_parse_options) could read
> > > one byte out of bounds. When the length is 1, the execution flow gets
> > > into the loop, reads one byte of the opcode, and if the opcode is
> > > neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
> > > the length of 1.
> > > 
> > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
> > > out of bounds when parsing TCP options.").
> > > 
> > > Cc: Young Xiao <92siuyang@gmail.com>
> > > Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
> > > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
> > > ---
> > >   net/netfilter/nf_synproxy_core.c | 2 ++
> > >   1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
> > > index b100c04a0e43..621eb5ef9727 100644
> > > --- a/net/netfilter/nf_synproxy_core.c
> > > +++ b/net/netfilter/nf_synproxy_core.c
> > > @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
> > >   			length--;
> > >   			continue;
> > >   		default:
> > > +			if (length < 2)
> > > +				return true;
> > 
> > Would you mind a v2 that also rejects bogus th->doff value when
> > computing the length?
> 
> Could you elaborate? The length is a signed int calculated as `(th->doff *
> 4) - sizeof(*th)`. Invalid doff values (0..4) lead to negative length, so we
> never enter the loop. Or are you concerned of passing a negative length to
> skb_header_pointer?

Yes, negative length to skb_header_pointer.  For other usage (mptcp for
example) tcp stack validated th->doff already, but thats not the case for synproxy.

next prev parent reply	other threads:[~2021-06-10  8:56 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
2021-06-09 14:51   ` Florian Westphal
2021-06-10  7:05     ` Maxim Mikityanskiy
2021-06-10  8:56       ` Florian Westphal [this message]
2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy
2021-06-10  0:07   ` Mat Martineau
2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy
2021-06-09 21:51   ` Toke Høiland-Jørgensen
2021-06-10 11:19     ` Maxim Mikityanskiy
2021-06-10 14:33       ` Toke Høiland-Jørgensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210610085607.GN20020@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=92siuyang@gmail.com \
    --cc=brouer@redhat.com \
    --cc=cpaasch@apple.com \
    --cc=davem@davemloft.net \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=kaber@trash.net \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=mathew.j.martineau@linux.intel.com \
    --cc=matthieu.baerts@tessares.net \
    --cc=maximmi@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=peter.krystad@linux.intel.com \
    --cc=toke@toke.dk \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.