On Mon, 2016-03-28 at 23:11 +0200, Jozsef Kadlecsik wrote:
> In net/netfilter/nf_conntrack_proto_tcp.c we copy the options into a
> buffer with skb_header_pointer(), so it's not a false positive there and
> the KASAN report referred to that part.
>
Although the out of bound could be one extra byte,
if skb_header_bpointer() had to copy something (since it also might
return a pointer inside skb->head)
No arch would possibly fault here.
So reading one byte on the stack is fooling KASAN, but no ill effect
would actually happen.
If the read byte is < 2, the function would return because of
if (opsize < 2)
return;
If the read byte is >= 2, the function would return because of
if (opsize > length)
return; /* don't parse partial options */
(Since we care here of the case where length == 1)
No big deal, it is probably better to 'fix' the code so that it pleases
dynamic checkers.
