From 32946848916002e1014e6125f2b3aee208d37700 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 30 Jun 2014 12:18:07 +0200
Subject: extra: tcp: insufficient sanitization in nfq_tcp_get_payload()

Similar to 7335cbe ("extra: fix wrong implementation in
nfq_udp_get_payload").

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/extra/tcp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/extra/tcp.c b/src/extra/tcp.c
index 2eb5763..bf161aa 100644
--- a/src/extra/tcp.c
+++ b/src/extra/tcp.c
@@ -59,13 +59,17 @@ EXPORT_SYMBOL(nfq_tcp_get_hdr);
  */
 void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb)
 {
-	unsigned int doff = tcph->doff * 4;
+	unsigned int len = tcph->doff * 4;
+
+	/* TCP packet is too short */
+	if (len < sizeof(struct tcphdr))
+		return NULL;
 
 	/* malformed TCP data offset. */
-	if (pktb->transport_header + doff >= pktb->tail)
+	if (pktb->transport_header + len > pktb->tail)
 		return NULL;
 
-	return pktb->transport_header + doff;
+	return pktb->transport_header + len;
 }
 EXPORT_SYMBOL(nfq_tcp_get_payload);
 
-- 
cgit v1.2.3