netfilter: synproxy: fix BUG_ON triggered by corrupt TCP packets
TCP packets hitting the SYN proxy through the SYNPROXY target are not validated by TCP conntrack. When th->doff is below 5, an underflow happens when calculating the options length, causing skb_header_pointer() to return NULL and triggering the BUG_ON(). Handle this case gracefully by checking for NULL instead of using BUG_ON(). Reported-by: Martin Topholm <mph@one.com> Tested-by: Martin Topholm <mph@one.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
committed by
Pablo Neira Ayuso
parent
d1ee4fea0b
commit
f4a87e7bd2
@@ -56,7 +56,7 @@ struct synproxy_options {
|
||||
|
||||
struct tcphdr;
|
||||
struct xt_synproxy_info;
|
||||
extern void synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
|
||||
extern bool synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
|
||||
const struct tcphdr *th,
|
||||
struct synproxy_options *opts);
|
||||
extern unsigned int synproxy_options_size(const struct synproxy_options *opts);
|
||||
|
||||
Reference in New Issue
Block a user