summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2014-06-30 12:18:07 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2014-06-30 19:38:50 +0200
commit32946848916002e1014e6125f2b3aee208d37700 (patch)
treecdbc57fc148dc6931576059b90e992fdaaaf47d3 /src
parent7335cbed46eb81cd4f521966ef508e18b6e8059f (diff)
extra: tcp: insufficient sanitization in nfq_tcp_get_payload()
Similar to 7335cbe ("extra: fix wrong implementation in nfq_udp_get_payload"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/extra/tcp.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/src/extra/tcp.c b/src/extra/tcp.c
index 2eb5763..bf161aa 100644
--- a/src/extra/tcp.c
+++ b/src/extra/tcp.c
@@ -59,13 +59,17 @@ EXPORT_SYMBOL(nfq_tcp_get_hdr);
*/
void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb)
{
- unsigned int doff = tcph->doff * 4;
+ unsigned int len = tcph->doff * 4;
+
+ /* TCP packet is too short */
+ if (len < sizeof(struct tcphdr))
+ return NULL;
/* malformed TCP data offset. */
- if (pktb->transport_header + doff >= pktb->tail)
+ if (pktb->transport_header + len > pktb->tail)
return NULL;
- return pktb->transport_header + doff;
+ return pktb->transport_header + len;
}
EXPORT_SYMBOL(nfq_tcp_get_payload);