tcp: no md5sig option size check bug
authorDmitry Popov <dp@highloadlab.com>
Sun, 8 Aug 2010 03:24:28 +0000 (20:24 -0700)
committerDavid S. Miller <davem@davemloft.net>
Sun, 8 Aug 2010 03:24:28 +0000 (20:24 -0700)
tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG)
length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16
bytes long.

Signed-off-by: Dmitry Popov <dp@highloadlab.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp_input.c

index 3c426cb318e7061795c7abce24189fbb7ea443f0..e663b78a2ef6b6286b549aa65b418fe385f32184 100644 (file)
@@ -3930,7 +3930,7 @@ u8 *tcp_parse_md5sig_option(struct tcphdr *th)
                        if (opsize < 2 || opsize > length)
                                return NULL;
                        if (opcode == TCPOPT_MD5SIG)
-                               return ptr;
+                               return opsize == TCPOLEN_MD5SIG ? ptr : NULL;
                }
                ptr += opsize - 2;
                length -= opsize;