Re: [PATCH net] nfnetlink_osf: validate individual option lengths in fingerprints

Next message: Dan Carpenter: "Re: [PATCH] staging: rtl8723bs: refactor rtw_aes_decrypt() to reduce nesting"
Previous message: Thomas Richter: "Re: [PATCH v8 5/5] perf evlist: Improve default event for s390"
In reply to: bestswngs: "[PATCH net] nfnetlink_osf: validate individual option lengths in fingerprints"
Next in thread: Greg KH: "Re: [PATCH net] nfnetlink_osf: validate individual option lengths in fingerprints"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Thu Mar 19 2026 - 03:59:00 EST

bestswngs@xxxxxxxxx <bestswngs@xxxxxxxxx> wrote:
> From: Weiming Shi <bestswngs@xxxxxxxxx>
>
> nfnl_osf_add_callback() validates opt_num bounds and string
> NUL-termination but does not check individual option length fields.
> A zero-length option causes nf_osf_match_one() to enter the option
> matching loop even when foptsize sums to zero, which matches packets
> with no TCP options where ctx->optp is NULL:

Applied, thanks.

How many people still use this feature?
Does this even work reliably in 2026?

I'm considering deprecation notice + eventual removal of this feature.