extra: tcp: insufficient sanitization in nfq_tcp_get_payload()

Similar to 7335cbe ("extra: fix wrong implementation in
nfq_udp_get_payload").

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/extra/tcp.c b/src/extra/tcp.c
index 2eb5763..bf161aa 100644 (file)
--- a/src/extra/tcp.c
+++ b/src/extra/tcp.c
@@ -59,13 +59,17 @@ EXPORT_SYMBOL(nfq_tcp_get_hdr);
  */
 void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb)
 {
-       unsigned int doff = tcph->doff * 4;
+       unsigned int len = tcph->doff * 4;
+
+       /* TCP packet is too short */
+       if (len < sizeof(struct tcphdr))
+               return NULL;
 
        /* malformed TCP data offset. */
-       if (pktb->transport_header + doff >= pktb->tail)
+       if (pktb->transport_header + len > pktb->tail)
                return NULL;
 
-       return pktb->transport_header + doff;
+       return pktb->transport_header + len;
 }
 EXPORT_SYMBOL(nfq_tcp_get_payload);