diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-30 12:18:07 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-06-30 19:38:50 +0200 |
commit | 32946848916002e1014e6125f2b3aee208d37700 (patch) | |
tree | cdbc57fc148dc6931576059b90e992fdaaaf47d3 /src | |
parent | 7335cbed46eb81cd4f521966ef508e18b6e8059f (diff) |
extra: tcp: insufficient sanitization in nfq_tcp_get_payload()
Similar to 7335cbe ("extra: fix wrong implementation in
nfq_udp_get_payload").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/extra/tcp.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/extra/tcp.c b/src/extra/tcp.c index 2eb5763..bf161aa 100644 --- a/src/extra/tcp.c +++ b/src/extra/tcp.c @@ -59,13 +59,17 @@ EXPORT_SYMBOL(nfq_tcp_get_hdr); */ void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb) { - unsigned int doff = tcph->doff * 4; + unsigned int len = tcph->doff * 4; + + /* TCP packet is too short */ + if (len < sizeof(struct tcphdr)) + return NULL; /* malformed TCP data offset. */ - if (pktb->transport_header + doff >= pktb->tail) + if (pktb->transport_header + len > pktb->tail) return NULL; - return pktb->transport_header + doff; + return pktb->transport_header + len; } EXPORT_SYMBOL(nfq_tcp_get_payload); |