netfilter: xt_tcpmss: check remaining length before reading optlen

Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). Reported-by: sungzii <sungzii@pm.me> Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2026-01-19 12:30:42 +0100
committer: Florian Westphal <fw@strlen.de> 2026-01-20 16:23:38 +0100
commit: 735ee8582da3d239eb0c7a53adca61b79fb228b3 (patch)
tree: d54a941765e14fa2e42d75adfb792d513bf93fdd /net
parent: de8a70cefcb26cdceaafdc5ac144712681419c29 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 37704ab01799..0d32d4841cb3 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
 			return (mssval >= info->mss_min &&
 				mssval <= info->mss_max) ^ info->invert;
 		}
-		if (op[i] < 2)
+		if (op[i] < 2 || i == optlen - 1)
 			i++;
 		else
 			i += op[i+1] ? : 1;
author	Florian Westphal <fw@strlen.de>	2026-01-19 12:30:42 +0100
committer	Florian Westphal <fw@strlen.de>	2026-01-20 16:23:38 +0100
commit	735ee8582da3d239eb0c7a53adca61b79fb228b3 (patch)
tree	d54a941765e14fa2e42d75adfb792d513bf93fdd /net
parent	de8a70cefcb26cdceaafdc5ac144712681419c29 (diff)