Merge Linaro linux 4.9.62 into linux-4.9

Signed-off-by: Xiaobo Xie <xiaobo.xie@nxp.com>
author: Xie Xiaobo <xiaobo.xie@nxp.com> 2017-12-12 08:12:33 (GMT)
committer: Xie Xiaobo <xiaobo.xie@nxp.com> 2017-12-12 08:12:33 (GMT)
commit: c0246a9ec4d461ef4dd7647f94005380bb9e7f0b (patch)
tree: 7588601aa6ce98f5e9fd083a1b351d9023c0b295 /net/netfilter/xt_TCPMSS.c
parent: 50fd1a6d79d48a7c35890aecce5a5d6b872a461d (diff)
parent: 56f4a560c6d6318b5a8e18a1b3e44909a5158d1e (diff)
download: linux-c0246a9ec4d461ef4dd7647f94005380bb9e7f0b.tar.xz
1 files changed, 5 insertions, 1 deletions
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 872db2d..119e51f 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
 	tcp_hdrlen = tcph->doff * 4;
 
-	if (len < tcp_hdrlen)
+	if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
 		return -1;
 
 	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -152,6 +152,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 	if (len > tcp_hdrlen)
 		return 0;
 
+	/* tcph->doff has 4 bits, do not wrap it to 0 */
+	if (tcp_hdrlen >= 15 * 4)
+		return 0;
+
 	/*
 	 * MSS Option not found ?! add it..
 	 */
author	Xie Xiaobo <xiaobo.xie@nxp.com>	2017-12-12 08:12:33 (GMT)
committer	Xie Xiaobo <xiaobo.xie@nxp.com>	2017-12-12 08:12:33 (GMT)
commit	c0246a9ec4d461ef4dd7647f94005380bb9e7f0b (patch)
tree	7588601aa6ce98f5e9fd083a1b351d9023c0b295 /net/netfilter/xt_TCPMSS.c
parent	50fd1a6d79d48a7c35890aecce5a5d6b872a461d (diff)
parent	56f4a560c6d6318b5a8e18a1b3e44909a5158d1e (diff)
download	linux-c0246a9ec4d461ef4dd7647f94005380bb9e7f0b.tar.xz