[PATCH 6.19 292/844] netfilter: xt_tcpmss: check remaining length before reading optlen

Next message: Sasha Levin: "[PATCH 6.19 197/844] ASoC: soc-acpi-intel-arl-match: change rt722 amp endpoint to aggregated"
Previous message: Yao Zi: "[PATCH] x86/cpu/centaur: Disable X86_FEATURE_FSGSBASE on Zhaoxin C4600"
In reply to: Sasha Levin: "[PATCH 6.19 285/844] ipv6: annotate data-races in net/ipv6/route.c"
Next in thread: Sasha Levin: "[PATCH 6.19 197/844] ASoC: soc-acpi-intel-arl-match: change rt722 amp endpoint to aggregated"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sasha Levin

Date: Sat Feb 28 2026 - 13:28:02 EST

From: Florian Westphal <fw@xxxxxxxxx>

[ Upstream commit 735ee8582da3d239eb0c7a53adca61b79fb228b3 ]

Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.

If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).

Reported-by: sungzii <sungzii@xxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
net/netfilter/xt_tcpmss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 37704ab017992..0d32d4841cb32 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
return (mssval >= info->mss_min &&
mssval <= info->mss_max) ^ info->invert;
}
- if (op[i] < 2)
+ if (op[i] < 2 || i == optlen - 1)
i++;
else
i += op[i+1] ? : 1;
--
2.51.0