netfilter: x_tables: guard option walkers against 1-byte tail reads

AtomicElectronCreates · Florian Westphal · commit cfe770220ac2 · 2026-03-10T14:10:42.000+01:00
When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. Fixes: 2e4e6a1 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") Signed-off-by: David Dull <monderasdor@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option,
 			return true;
 		}
 
-		if (op[i] < 2)
+		if (op[i] < 2 || i == optlen - 1)
 			i++;
 		else
-			i += op[i+1]?:1;
+			i += op[i + 1] ? : 1;
 	}
 
 	spin_unlock_bh(&dccp_buflock);
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option,
 
 	for (i = 0; i < optlen; ) {
 		if (op[i] == option) return !invert;
-		if (op[i] < 2) i++;
-		else i += op[i+1]?:1;
+		if (op[i] < 2 || i == optlen - 1)
+			i++;
+		else
+			i += op[i + 1] ? : 1;
 	}
 
 	return invert;

Original file line number	Diff line number	Diff line change
`@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option,`
`62`	`62`	`return true;`
`63`	`63`	`}`
`64`	`64`
`65`		`- if (op[i] < 2)`
	`65`	`+ if (op[i] < 2 \|\| i == optlen - 1)`
`66`	`66`	`i++;`
`67`	`67`	`else`
`68`		`- i += op[i+1]?:1;`
	`68`	`+ i += op[i + 1] ? : 1;`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`spin_unlock_bh(&dccp_buflock);`