Dev news

Commit dbdfaae96096 for kernel

commit dbdfaae9609629a9569362e3b8f33d0a20fd783c
Author: Weiming Shi <bestswngs@gmail.com>
Date:   Thu Mar 19 15:32:44 2026 +0800

    nfnetlink_osf: validate individual option lengths in fingerprints

    nfnl_osf_add_callback() validates opt_num bounds and string
    NUL-termination but does not check individual option length fields.
    A zero-length option causes nf_osf_match_one() to enter the option
    matching loop even when foptsize sums to zero, which matches packets
    with no TCP options where ctx->optp is NULL:

     Oops: general protection fault
     KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
     RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
     Call Trace:
      nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
      xt_osf_match_packet (net/netfilter/xt_osf.c:32)
      ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
      nf_hook_slow (net/netfilter/core.c:623)
      ip_local_deliver (net/ipv4/ip_input.c:262)
      ip_rcv (net/ipv4/ip_input.c:573)

    Additionally, an MSS option (kind=2) with length < 4 causes
    out-of-bounds reads when nf_osf_match_one() unconditionally accesses
    optp[2] and optp[3] for MSS value extraction.  While RFC 9293
    section 3.2 specifies that the MSS option is always exactly 4
    bytes (Kind=2, Length=4), the check uses "< 4" rather than
    "!= 4" because lengths greater than 4 do not cause memory
    safety issues -- the buffer is guaranteed to be at least
    foptsize bytes by the ctx->optsize == foptsize check.

    Reject fingerprints where any option has zero length, or where an MSS
    option has length less than 4, at add time rather than trusting these
    values in the packet matching hot path.

    Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
    Reported-by: Xiang Mei <xmei5@asu.edu>
    Signed-off-by: Weiming Shi <bestswngs@gmail.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 94e3eac5743a..45d9ad231a92 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
 {
 	struct nf_osf_user_finger *f;
 	struct nf_osf_finger *kf = NULL, *sf;
+	unsigned int tot_opt_len = 0;
 	int err = 0;
+	int i;

 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
 	if (f->opt_num > ARRAY_SIZE(f->opt))
 		return -EINVAL;

+	for (i = 0; i < f->opt_num; i++) {
+		if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
+			return -EINVAL;
+		if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
+			return -EINVAL;
+
+		tot_opt_len += f->opt[i].length;
+		if (tot_opt_len > MAX_IPOPTLEN)
+			return -EINVAL;
+	}
+
 	if (!memchr(f->genre, 0, MAXGENRELEN) ||
 	    !memchr(f->subtype, 0, MAXGENRELEN) ||
 	    !memchr(f->version, 0, MAXGENRELEN))