Paths

Table of Contentst

Make TCP options parsing stricter
ClosedPublic
Actions

Authored by ae on Dec 10 2019, 12:43 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sat, Feb 28, 4:47 PM

	Unknown Object (File)
	Sat, Feb 28, 9:26 AM

	Unknown Object (File)
	Dec 11 2025, 11:54 AM

	Unknown Object (File)
	Dec 4 2025, 4:11 AM

	Unknown Object (File)
	Dec 3 2025, 6:30 PM

	Unknown Object (File)
	Nov 26 2025, 3:16 PM

	Unknown Object (File)
	Nov 20 2025, 5:19 PM

	Unknown Object (File)
	Nov 20 2025, 5:19 PM

View All 65 Files

Subscribers

imp

Details

Reviewers

melifaro
emaste
glebius

Summary

Rework tcpopts_parse() to be more strict. Add length checks for specific TCP options. The behavior is copied from tcp_input.c.
The main purpose of the change is avoiding of possible out of mbuf's data access.

Reported by: Maxime Villard

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 28059
Build 26207: arc lint + arc unit

Event Timeline

ae created this revision.Dec 10 2019, 12:43 PM

Herald added a subscriber: imp. · View Herald TranscriptDec 10 2019, 12:43 PM

Harbormaster completed remote builds in B28059: Diff 65454.Dec 10 2019, 12:43 PM

melifaro accepted this revision.Dec 10 2019, 1:14 PM

melifaro added inline comments.

sys/netpfil/ipfw/ip_fw2.c
333	Would help if we add a comment suggesting that the parsing logic mimics one from `tcp_dooptions()`.
334	Since we're talking about safeness: can we change the signature to be `const struct tcphdr *tcp`?
338	Would it be possible to rename `x` to something more resembling the remaining byte count? For example, `tcp_dooptions()` uses `cnt` for the similar purpose.

This revision is now accepted and ready to land.Dec 10 2019, 1:14 PM

Looks reasonable, with good suggestions from @melifaro

Commited in rS355712.

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

ipfw/

ip_fw2.c

19 lines

Diff 65454

View Options

Make TCP options parsing stricterClosedPublicActions