Commit 86ce362
CIQ Kernel Automation
netfilter: xt_tcpmss: check remaining length before reading optlen
jira VULN-184557
cve CVE-2026-43190
commit-author Florian Westphal <fw@strlen.de>
commit 735ee85
Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.
If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
Reported-by: sungzii <sungzii@pm.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 735ee85)
Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>1 parent 7067eac commit 86ce362
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
61 | 61 | | |
62 | 62 | | |
63 | 63 | | |
64 | | - | |
| 64 | + | |
65 | 65 | | |
66 | 66 | | |
67 | 67 | | |
| |||
0 commit comments