2 files changed, 57 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 341f0f2..60a7c67 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -15,3 +15,7 @@ patch CVE-2017-7308-net-packet-fix-overflow-in-check-for-priv-area-size.patch
 #fixed in 4.1.42
 patch CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
+#fixed in 4.1.43
+patch CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
diff --git a/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch b/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
new file mode 100644
index 0000000..14d85d7
--- /dev/null
+++ b/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
@@ -0,0 +1,53 @@
+From a7776b8815a90da464f045f7c24d9565ae9f1963 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 3 Apr 2017 10:55:11 -0700
+Subject: [PATCH] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
+[ Upstream commit 2638fd0f92d4397884fd991d8f4925cb3f081901 ]
+Denys provided an awesome KASAN report pointing to an use
+after free in xt_TCPMSS
+I have provided three patches to fix this issue, either in xt_TCPMSS or
+in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
+impact.
+CVE: CVE-2017-18017   
+Upstream-Status: Backport  
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/netfilter/xt_TCPMSS.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
+index e762de5..6531d703 100644
+--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
+@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
+        tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+        tcp_hdrlen = tcph->doff * 4;
+ 
+-       if (len < tcp_hdrlen)
+       if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
+                return -1;
+ 
+        if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
+@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
+        if (len > tcp_hdrlen)
+                return 0;
+ 
+       /* tcph->doff has 4 bits, do not wrap it to 0 */
+       if (tcp_hdrlen >= 15 * 4)
+               return 0;
+
+        /*
+         * MSS Option not found ?! add it..
+         */
+-- 
+2.7.4

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 341f0f2..60a7c67 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -15,3 +15,7 @@ patch CVE-2017-7308-net-packet-fix-overflow-in-check-for-priv-area-size.patch
15		15
16	#fixed in 4.1.42	16	#fixed in 4.1.42
17	patch CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch	17	patch CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
		18
		19	#fixed in 4.1.43
		20	patch CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
		21


diff --git a/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch b/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch new file mode 100644 index 0000000..14d85d7 --- /dev/null +++ b/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
@@ -0,0 +1,53 @@
		1	From a7776b8815a90da464f045f7c24d9565ae9f1963 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Mon, 3 Apr 2017 10:55:11 -0700
		4	Subject: [PATCH] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
		5
		6	[ Upstream commit 2638fd0f92d4397884fd991d8f4925cb3f081901 ]
		7
		8	Denys provided an awesome KASAN report pointing to an use
		9	after free in xt_TCPMSS
		10
		11	I have provided three patches to fix this issue, either in xt_TCPMSS or
		12	in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
		13	impact.
		14
		15	CVE: CVE-2017-18017
		16	Upstream-Status: Backport
		17
		18	Signed-off-by: Eric Dumazet <edumazet@google.com>
		19	Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
		20	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
		21	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
		22	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		23	---
		24	net/netfilter/xt_TCPMSS.c \| 6 +++++-
		25	1 file changed, 5 insertions(+), 1 deletion(-)
		26
		27	diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
		28	index e762de5..6531d703 100644
		29	--- a/net/netfilter/xt_TCPMSS.c
		30	+++ b/net/netfilter/xt_TCPMSS.c
		31	@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
		32	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
		33	tcp_hdrlen = tcph->doff * 4;
		34
		35	- if (len < tcp_hdrlen)
		36	+ if (len < tcp_hdrlen \|\| tcp_hdrlen < sizeof(struct tcphdr))
		37	return -1;
		38
		39	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
		40	@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
		41	if (len > tcp_hdrlen)
		42	return 0;
		43
		44	+ /* tcph->doff has 4 bits, do not wrap it to 0 */
		45	+ if (tcp_hdrlen >= 15 * 4)
		46	+ return 0;
		47	+
		48	/*
		49	* MSS Option not found ?! add it..
		50	*/
		51	--
		52	2.7.4
		53