linux/net
Maxim Mikityanskiy ba91c49ded sch_cake: Fix out of bounds when parsing TCP options and header
The TCP option parser in cake qdisc (cake_get_tcpopt and
cake_tcph_may_drop) could read one byte out of bounds. When the length
is 1, the execution flow gets into the loop, reads one byte of the
opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
one more byte, which exceeds the length of 1.

This fix is inspired by commit 9609dad263 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").

v2 changes:

Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP
header. Although it wasn't strictly an out-of-bounds access (memory was
allocated), garbage values could be read where CAKE expected the TCP
header if doff was smaller than 5.

Cc: Young Xiao <92siuyang@gmail.com>
Fixes: 8b7138814f ("sch_cake: Add optional ACK filter")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-06-10 14:26:18 -07:00
..
6lowpan 6lowpan: Fix some typos in nhc_udp.c 2021-03-24 17:52:11 -07:00
9p net: 9p: Correct function names in the kerneldoc comments 2021-03-28 17:56:56 -07:00
802
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-26 12:00:00 -07:00
appletalk net: appletalk: fix the usage of preposition 2021-06-08 11:37:41 -07:00
atm net: atm: pppoatm: use new API for wakeup tasklet 2021-01-29 18:24:05 -08:00
ax25 net/ax25: Delete obsolete TODO file 2021-03-30 16:54:50 -07:00
batman-adv batman-adv: Avoid WARN_ON timing related checks 2021-05-18 21:10:01 +02:00
bluetooth Bluetooth: use correct lock to prevent UAF of hdev object 2021-05-31 14:33:26 +02:00
bpf bpf: selftests: Add kfunc_call test 2021-03-26 20:41:52 -07:00
bpfilter net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
bridge net: bridge: fix vlan tunnel dst refcnt when egressing 2021-06-10 14:06:43 -07:00
caif net: caif: fix memory leak in cfusbl_device_notify 2021-06-03 15:05:07 -07:00
can can: isotp: prevent race between isotp_bind() and isotp_setsockopt() 2021-05-12 08:52:47 +02:00
ceph Notable items here are a series to take advantage of David Howells' 2021-05-06 10:27:02 -07:00
core skbuff: fix incorrect msg_zerocopy copy notifications 2021-06-10 13:39:57 -07:00
dcb net: dcb: use obj-$(CONFIG_DCB) form in net/Makefile 2021-01-27 17:03:52 -08:00
dccp net: dccp: use net_generic storage 2021-04-09 16:34:56 -07:00
decnet net/decnet: Delete obsolete TODO file 2021-03-30 16:54:50 -07:00
dns_resolver net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
dsa net: dsa: tag_8021q: fix the VLAN IDs used for encoding sub-VLANs 2021-06-01 15:02:05 -07:00
ethernet of: net: pass the dst buffer to of_get_mac_address() 2021-04-13 14:35:02 -07:00
ethtool net: ethtool: clear heap allocations for ethtool function 2021-06-09 13:53:31 -07:00
hsr net: hsr: fix mac_len checks 2021-05-24 14:10:28 -07:00
ieee802154 ieee802154: fix error return code in ieee802154_llsec_getparams() 2021-06-03 10:59:49 +02:00
ife net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
ipv4 ping: Check return value of function 'ping_queue_rcv_skb' 2021-06-10 13:44:55 -07:00
ipv6 udp: fix race between close() and udp_abort() 2021-06-09 14:08:41 -07:00
iucv iucv: af_iucv.c: Couple of typo fixes 2021-03-28 17:31:13 -07:00
kcm revert "net: kcm: fix memory leak in kcm_sendmsg" 2021-06-07 13:34:37 -07:00
key af_key: relax availability checks for skb size calculation 2021-01-04 10:05:50 +01:00
l2tp net: fix a concurrency bug in l2tp_tunnel_register() 2021-04-27 14:23:13 -07:00
l3mdev l3mdev: Correct function names in the kerneldoc comments 2021-03-28 17:56:55 -07:00
lapb net: lapb: Make "lapb_t1timer_running" able to detect an already running timer 2021-03-23 14:14:50 -07:00
llc llc2: Remove redundant assignment to rc 2021-04-27 14:16:14 -07:00
mac80211 mac80211: drop multicast fragments 2021-06-09 16:17:45 +02:00
mac802154 net: mac802154: Fix general protection fault 2021-04-06 22:42:16 +02:00
mpls mpls: Remove redundant assignment to err 2021-04-27 14:17:00 -07:00
mptcp mptcp: Fix out of bounds when parsing TCP options 2021-06-10 14:26:18 -07:00
ncsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
netfilter netfilter: synproxy: Fix out of bounds when parsing TCP options 2021-06-10 14:26:18 -07:00
netlabel Networking changes for 5.13. 2021-04-29 11:57:23 -07:00
netlink netlink: disable IRQs for netlink_lock_table() 2021-05-17 15:31:03 -07:00
netrom net: netrom: nr_in: Remove redundant assignment to ns 2021-04-28 13:59:08 -07:00
nfc nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect 2021-05-31 22:43:27 -07:00
nsh
openvswitch openvswitch: meter: fix race when getting now_ms. 2021-05-13 15:54:59 -07:00
packet net/packet: annotate data race in packet_sendmsg() 2021-06-10 14:12:54 -07:00
phonet
psample psample: Add additional metadata attributes 2021-03-14 15:00:43 -07:00
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-26 12:00:00 -07:00
rds net: rds: fix memory leak in rds_recvmsg 2021-06-08 16:32:17 -07:00
rfkill Another set of updates, all over the map: 2021-04-20 16:44:04 -07:00
rose net: rose: Fix fall-through warnings for Clang 2021-03-10 12:45:15 -08:00
rxrpc Networking changes for 5.13. 2021-04-29 11:57:23 -07:00
sched sch_cake: Fix out of bounds when parsing TCP options and header 2021-06-10 14:26:18 -07:00
sctp sctp: fix the proc_handler for sysctl encap_port 2021-05-25 15:18:29 -07:00
smc Networking fixes for 5.13-rc4, including fixes from bpf, netfilter, 2021-05-26 17:44:49 -10:00
strparser
sunrpc NFS client updates for Linux 5.13 2021-05-07 11:23:41 -07:00
switchdev net: bridge: propagate extack through switchdev_port_attr_set 2021-02-14 17:38:11 -08:00
tipc tipc: simplify the finalize work queue 2021-05-18 13:22:09 -07:00
tls net/tls: Fix use-after-free after the TLS device goes down and up 2021-06-01 15:58:05 -07:00
unix af_unix: handle idmapped mounts 2021-01-24 14:27:18 +01:00
vmw_vsock vsock/vmci: Remove redundant assignment to err 2021-04-30 15:00:59 -07:00
wireless cfg80211: shut down interfaces on failed resume 2021-06-09 16:09:20 +02:00
x25 net/x25: Return the correct errno code 2021-06-03 15:13:56 -07:00
xdp xsk: Fix for xp_aligned_validate_desc() when len == chunk_size 2021-05-04 00:28:06 +02:00
xfrm xfrm: ipcomp: remove unnecessary get_cpu() 2021-04-19 12:49:29 +02:00
compat.c net: Return the correct errno code 2021-06-03 15:13:56 -07:00
devres.c
Kconfig bpf, kconfig: Add consolidated menu entry for bpf with core options 2021-05-11 13:56:16 -07:00
Makefile net: l3mdev: use obj-$(CONFIG_NET_L3_MASTER_DEV) form in net/Makefile 2021-01-27 17:03:52 -08:00
socket.c net: Fix a misspell in socket.c 2021-03-25 16:56:27 -07:00
sysctl_net.c net: Ensure net namespace isolation of sysctls 2021-04-12 13:27:11 -07:00