Commit cfe77022 authored Mar 07, 2026 by David Dull Committed by Florian Westphal Mar 10, 2026

netfilter: x_tables: guard option walkers against 1-byte tail reads



When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.

Add an explicit i == optlen - 1 check before dereferencing op[i + 1]
in xt_tcpudp and xt_dccp option walkers.

Fixes: 2e4e6a17 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Signed-off-by: David Dull <monderasdor@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

parent d6d8cd2d

net/netfilter/xt_dccp.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -62,7 +62,7 @@ dccp_find_option(u_int8_t option,
		return true;
		}

		if (op[i] < 2)
		if (op[i] < 2 \|\| i == optlen - 1)
		i++;
		else
		i += op[i + 1] ? : 1;

net/netfilter/xt_tcpudp.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option,

		for (i = 0; i < optlen; ) {
		if (op[i] == option) return !invert;
		if (op[i] < 2) i++;
		else i += op[i+1]?:1;
		if (op[i] < 2 \|\| i == optlen - 1)
		i++;
		else
		i += op[i + 1] ? : 1;
		}

		return invert;