From: Dmitry Popov Date: Sun, 8 Aug 2010 03:24:28 +0000 (-0700) Subject: tcp: no md5sig option size check bug X-Git-Tag: firefly_0821_release~9833^2~400^2~192 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ba78e2ddca844598c0efcbf2c76d73519a61b902;p=firefly-linux-kernel-4.4.55.git tcp: no md5sig option size check bug tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG) length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16 bytes long. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller --- diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 3c426cb318e7..e663b78a2ef6 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3930,7 +3930,7 @@ u8 *tcp_parse_md5sig_option(struct tcphdr *th) if (opsize < 2 || opsize > length) return NULL; if (opcode == TCPOPT_MD5SIG) - return ptr; + return opsize == TCPOLEN_MD5SIG ? ptr : NULL; } ptr += opsize - 2; length -= opsize;