Linux Kernel 'net/netfilter/xt_TCPMSS.c' CVE-2017-18017 Denial of Service Vulnerability

Linux Kernel is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause a denial-of-service condition.
Denys provided an awesome KASAN report pointing to an use
after free in xt_TCPMSS
I have provided three patches to fix this issue, either in xt_TCPMSS or
in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
impact.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff –git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 27241a7..c64aca6 100644
— a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
tcp_hdrlen = tcph->doff * 4;
– if (len < tcp_hdrlen)
+ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
return -1;
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -152,6 +152,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
if (len > tcp_hdrlen)
return 0;
+ /* tcph->doff has 4 bits, do not wrap it to 0 */
+ if (tcp_hdrlen >= 15 * 4)
+ return 0;
+
/*
* MSS Option not found ?! add it..
*/
Vulnerable: Linux kernel 4.11.5
Linux kernel 4.11.4
Linux kernel 4.11.3
Linux kernel 4.11.2
Linux kernel 4.11.1
Linux kernel 4.11
Linux kernel 4.10.15
Linux kernel 4.10.13
Linux kernel 4.10.12
Linux kernel 4.10.10
Linux kernel 4.10.6
Linux kernel 4.10.4
Linux kernel 4.10
Linux kernel 4.1.47
Linux kernel 4.1.4
Linux kernel 4.1.1
Linux kernel 4.0.6
Linux kernel 3.19.3
Linux kernel 3.18.22
Linux kernel 3.18.17
Linux kernel 3.18.11
Linux kernel 3.18.8
Linux kernel 3.18.7
Linux kernel 3.18.3
Linux kernel 3.18.2
Linux kernel 3.18.1
Linux kernel 3.17.4
Linux kernel 3.17.2
Linux kernel 3.16.7
Linux kernel 3.16.2
Linux kernel 3.16.1
Linux kernel 3.15.10
Linux kernel 3.15.5
Linux kernel 3.15.2
Linux kernel 3.14.54
Linux kernel 3.14.45
Linux kernel 3.14.37
Linux kernel 3.14.4
Linux kernel 3.14.3
Linux kernel 3.14.2
Linux kernel 3.13.11
Linux kernel 3.13.9
Linux kernel 3.13.3
Linux kernel 3.13.1
Linux kernel 3.12.49
Linux kernel 3.12.48
Linux kernel 3.12.44
Linux kernel 3.12.40
Linux kernel 3.12.21
Linux kernel 3.12.18
Linux kernel 3.12.17
Linux kernel 3.12.16
Linux kernel 3.12.11
Linux kernel 3.12.7
Linux kernel 3.12.4
Linux kernel 3.12.3
Linux kernel 3.12.2
Linux kernel 3.11.3
Linux kernel 3.10.90
Linux kernel 3.10.81
Linux kernel 3.10.73
Linux kernel 3.10.45
Linux kernel 3.10.41
Linux kernel 3.10.38
Linux kernel 3.10.37
Linux kernel 3.10.36
Linux kernel 3.10.30
Linux kernel 3.10.27
Linux kernel 3.10.26
Linux kernel 3.10.23
Linux kernel 3.10.22
Linux kernel 3.10.21
Linux kernel 3.10.14
Linux kernel 3.10.10
Linux kernel 3.10.9
Linux kernel 3.10.7
Linux kernel 3.10
Linux kernel 3.8.9
Linux kernel 3.8.6
Linux kernel 3.8.5
Linux kernel 3.8.4
Linux kernel 3.8.2
Linux kernel 3.8.1
Linux kernel 3.7.10
Linux kernel 3.7.9
Linux kernel 3.7.8
Linux kernel 3.7.7
Linux kernel 3.7.5
Linux kernel 3.7.4
Linux kernel 3.7.3
Linux kernel 3.7.2
Linux kernel 3.7.1
Linux kernel 3.6.11
Linux kernel 3.6.10
Linux kernel 3.6.9
Linux kernel 3.6.8
Linux kernel 3.6.7
Linux kernel 3.6.6
Linux kernel 3.6.5
Linux kernel 3.6.4
Linux kernel 3.6.3
Linux kernel 3.6.2
Linux kernel 3.6.1
Linux kernel 3.5.7
Linux kernel 3.5.6
Linux kernel 3.5.5
Linux kernel 3.5.4
Linux kernel 3.5.3
Linux kernel 3.5.2
Linux kernel 3.5.1
Linux kernel 3.4.88
Linux kernel 3.4.87
Linux kernel 3.4.86
Linux kernel 3.4.80
Linux kernel 3.4.76
Linux kernel 3.4.73
Linux kernel 3.4.72
Linux kernel 3.4.71
Linux kernel 3.4.64
Linux kernel 3.4.58
Linux kernel 3.4.42
Linux kernel 3.4.36
Linux kernel 3.4.32
Linux kernel 3.4.31
Linux kernel 3.4.27
Linux kernel 3.4.26
Linux kernel 3.4.25
Linux kernel 3.4.21
Linux kernel 3.4.20
Linux kernel 3.4.19
Linux kernel 3.4.18
Linux kernel 3.4.17
Linux kernel 3.4.16
Linux kernel 3.4.15
Linux kernel 3.4.14
Linux kernel 3.4.13
Linux kernel 3.4.12
Linux kernel 3.4.11
Linux kernel 3.4.10
Linux kernel 3.4.9
Linux kernel 3.4.8
Linux kernel 3.4.7
Linux kernel 3.4.6
Linux kernel 3.4.5
Linux kernel 3.4.4
Linux kernel 3.4.3
Linux kernel 3.4.2
Linux kernel 3.4.1
Linux kernel 3.3.5
Linux kernel 3.3.4
Linux kernel 3.3.2
Linux kernel 3.2.82
Linux kernel 3.2.72
Linux kernel 3.2.62
Linux kernel 3.2.57
Linux kernel 3.2.56
Linux kernel 3.2.51
Linux kernel 3.2.24
Linux kernel 3.2.23
Linux kernel 3.2.13
Linux kernel 3.2.12
Linux kernel 3.2.9
Linux kernel 3.2.1
Linux kernel 3.1.8
Linux kernel 3.0.98
Linux kernel 3.0.75
Linux kernel 3.0.72
Linux kernel 3.0.69
Linux kernel 3.0.65
Linux kernel 3.0.60
Linux kernel 3.0.59
Linux kernel 3.0.58
Linux kernel 3.0.37
Linux kernel 3.0.34
Linux kernel 3.0.5
Linux kernel 3.0.4
Linux kernel 3.0.2
Linux kernel 3.0.1
Linux kernel 2.6.39
Linux kernel 2.6.38
Linux kernel 2.6.37
Linux kernel 2.6.36
Linux kernel 2.6.35
Linux kernel 2.6.34
Linux kernel 2.6.33
Linux kernel 2.6.32 .9
Linux kernel 2.6.32
Linux kernel 2.6.31
Linux kernel 2.6.29
Linux kernel 2.6.28
Linux kernel 2.6.27
Linux kernel 2.6.26
Linux kernel 2.6.25
Linux kernel 2.6.24
Linux kernel 2.6.23
Linux kernel 4.4.14
Linux kernel 4.4.1
Linux kernel 4.4.0-57
Linux kernel 4.10.9
Linux kernel 4.10.8
Linux kernel 4.10.7
Linux kernel 4.10.5
Linux kernel 4.10.3
Linux kernel 4.10.2
Linux kernel 4.10.11
Linux kernel 4.10.1
Linux kernel 4.1.15
Linux kernel 4.1
Linux kernel 4.0.5
Linux kernel 4.0
Linux kernel 3.8
Linux kernel 3.7.6
Linux kernel 3.7
Linux kernel 3.6
Linux kernel 3.5
Linux kernel 3.4.93
Linux kernel 3.4.81
Linux kernel 3.4.70
Linux kernel 3.4.67
Linux kernel 3.4.29
Linux kernel 3.4
Linux kernel 3.3
Linux kernel 3.2.81
Linux kernel 3.2.78
Linux kernel 3.2.65
Linux kernel 3.2.64
Linux kernel 3.2.63
Linux kernel 3.2.60
Linux kernel 3.2.55
Linux kernel 3.2.54
Linux kernel 3.2.53
Linux kernel 3.2.52
Linux kernel 3.2.50
Linux kernel 3.2.44
Linux kernel 3.2.42
Linux kernel 3.2.38
Linux kernel 3.2.2
Linux kernel 3.2
Linux kernel 3.19
Linux kernel 3.18.9
Linux kernel 3.18
Linux kernel 3.17.6
Linux kernel 3.17
Linux kernel 3.16.6
Linux kernel 3.16.36
Linux kernel 3.16
Linux kernel 3.15
Linux kernel 3.14.73
Linux kernel 3.14.7
Linux kernel 3.14.5
Linux kernel 3.14-4
Linux kernel 3.14-1
Linux kernel 3.14
Linux kernel 3.13.7
Linux kernel 3.13.6
Linux kernel 3.13.5
Linux kernel 3.13.4
Linux kernel 3.13.0
Linux kernel 3.13
Linux kernel 3.12.22
Linux kernel 3.12.15
Linux kernel 3.12.14
Linux kernel 3.12.12
Linux kernel 3.12.1
Linux kernel 3.12
Linux kernel 3.11.9
Linux kernel 3.11.6
Linux kernel 3.11
Linux kernel 3.10.5
Linux kernel 3.10.43
Linux kernel 3.10.31
Linux kernel 3.10.20
Linux kernel 3.10.17
Linux kernel 3.10
Linux kernel 3.1
Linux kernel 3.0.66
Linux kernel 3.0.62
Linux kernel 3.0.18
Linux kernel 3.0
Linux kernel 2.6.38.6
Linux kernel 2.6.38.4
Linux kernel 2.6.38.3
Linux kernel 2.6.38.2
Linux kernel 2.6.37.2
Linux kernel 2.6.32.8
Linux kernel 2.6.32.7
Linux kernel 2.6.32.62
Linux kernel 2.6.32.61
Linux kernel 2.6.32.60
Linux kernel 2.6.32.6
Linux kernel 2.6.32.5
Linux kernel 2.6.32.3
Linux kernel 2.6.32.28
Linux kernel 2.6.32.15
Linux kernel 2.6.32.14
Linux kernel 2.6.32.13
Linux kernel 2.6.32.12
Linux kernel 2.6.32.11
Linux kernel 2.6.32.10
Linux kernel 2.6.32.1
Linux kernel 2.6.31.6
Linux kernel 2.6.31.4
Linux kernel 2.6.31.1
Linux kernel 2.6.30.5
Linux kernel 2.6.30.4
Linux kernel 2.6.30.3
Linux kernel 2.6.28.4
Linux kernel 2.6.28.10
Linux kernel 2.6.27.54
Linux kernel 2.6.27.51
Linux kernel 2.6.27.49
Linux kernel 2.6.27.26
Linux kernel 2.6.26.1
Linux kernel 2.6.25.4
Linux kernel 2.6.25.3
Linux kernel 2.6.25.2
Linux kernel 2.6.25.1
Linux kernel 2.6.24.6
Linux kernel 2.6.24.4
Linux kernel 2.6.24.3
Linux kernel 2.6.23.14
Linux kernel 2.6.23.10
Linux kernel 2.6.23.1
Not Vulnerable: Linux kernel 4.11

Leave a Reply