Commit 735ee858 authored Jan 19, 2026 by Florian Westphal

netfilter: xt_tcpmss: check remaining length before reading optlen



Quoting reporter:
  In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
 op[i+1] directly without validating the remaining option length.

  If the last byte of the option field is not EOL/NOP (0/1), the code attempts
  to index op[i+1]. In the case where i + 1 == optlen, this causes an
  out-of-bounds read, accessing memory past the optlen boundary
  (either reading beyond the stack buffer _opt or the
  following payload).

Reported-by: sungzii <sungzii@pm.me>
Signed-off-by: Florian Westphal <fw@strlen.de>

parent de8a70ce

net/netfilter/xt_tcpmss.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -61,7 +61,7 @@ tcpmss_mt(const struct sk_buff skb, struct xt_action_param par)
		return (mssval >= info->mss_min &&
		mssval <= info->mss_max) ^ info->invert;
		}
		if (op[i] < 2)
		if (op[i] < 2 \|\| i == optlen - 1)
		i++;
		else
		i += op[i+1] ? : 1;