[NETFILTER]: Missing skb->len check in ip_conntrack_proto_tcp.c:tcp_packet().

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@redhat.com>

diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 9bcb718eca165aae6ccbf65acf28a325e39a46b4..1cc796556f27672a22bcdb8a5e4d565227232c3e 100644 (file)
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -177,6 +177,8 @@ static int tcp_packet(struct ip_conntrack *conntrack,
 
        if (skb_copy_bits(skb, skb->nh.iph->ihl * 4, &tcph, sizeof(tcph)) != 0)
                return -1;
+       if (skb->len < skb->nh.iph->ihl * 4 + tcph.doff * 4)
+               return -1;
 
        /* If only reply is a RST, we can consider ourselves not to
           have an established connection: this is a fairly common