[NETFILTER]: Fix signedness overflow in ip{,6}_tables.c

Bug discovered by Olaf Kirch.

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index a7103ccae8d648ca5180066e4d967cd88fd2138c..1c1207164e1cfbb0fd3f02b94e7d105dd98acd8c 100644 (file)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1529,11 +1529,16 @@ tcp_match(const struct sk_buff *skb,
                      == tcpinfo->flg_cmp,
                      IPT_TCP_INV_FLAGS))
                return 0;
-       if (tcpinfo->option &&
-           !tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
-                            tcpinfo->invflags & IPT_TCP_INV_OPTION,
-                            hotdrop))
-               return 0;
+       if (tcpinfo->option) {
+               if (tcph.doff * 4 < sizeof(tcph)) {
+                       *hotdrop = 1;
+                       return 0;
+               }
+               if (!tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
+                                    tcpinfo->invflags & IPT_TCP_INV_OPTION,
+                                    hotdrop))
+                       return 0;
+       }
        return 1;
 }
 

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 24b0565a0e9e439a2b55acd246ab58876cbfbff1..0adb7785c76102811d617ba7f47e6af52466e1ab 100644 (file)
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1545,7 +1545,8 @@ tcp_find_option(u_int8_t option,
 
        duprintf("tcp_match: finding option\n");
        /* If we don't have the whole header, drop packet. */
-       if (tcp->doff * 4 > datalen) {
+       if (tcp->doff * 4 < sizeof(struct tcphdr) ||
+           tcp->doff * 4 > datalen) {
                *hotdrop = 1;
                return 0;
        }