diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/xt_TCPMSS.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 7011c7164..c656269c4 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -68,7 +68,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); /* Header cannot be larger than the packet */ - if (tcplen < tcph->doff*4) + if (tcplen < tcph->doff*4 || tcph->doff*4 < sizeof(struct tcphdr)) return -1; if (info->mss == XT_TCPMSS_CLAMP_PMTU) { @@ -117,6 +117,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, if (tcplen > tcph->doff*4) return 0; + /* tcph->doff has 4 bits, do not wrap it to 0 */ + if (tcph->doff >= 15) + return 0; + /* * MSS Option not found ?! add it.. */ |