netfilter: xt_tcpmss: check remaining length before reading optlen - user/sven/linux.git

diff options

author	Florian Westphal <fw@strlen.de>	2026-01-19 12:30:42 +0100
committer	Florian Westphal <fw@strlen.de>	2026-01-20 16:23:38 +0100
commit	735ee8582da3d239eb0c7a53adca61b79fb228b3 (patch)
tree	d54a941765e14fa2e42d75adfb792d513bf93fdd /include
parent	de8a70cefcb26cdceaafdc5ac144712681419c29 (diff)

netfilter: xt_tcpmss: check remaining length before reading optlen

Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). Reported-by: sungzii <sungzii@pm.me> Signed-off-by: Florian Westphal <fw@strlen.de>

Diffstat (limited to 'include')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: