From: Jann Horn <ja...@google.com>
Date: Fri, 20 Apr 2018 15:57:30 +0200
> The old code reads the "opsize" variable from out-of-bounds memory (first
> byte behind the segment) if a broken TCP segment ends directly after an
> opcode that is neither EOL nor NOP.
>
> The result of the read isn't used for anything, so the worst thing that
> could theoretically happen is a pagefault; and since the physmap is usually
> mostly contiguous, even that seems pretty unlikely.
>
> The following C reproducer triggers the uninitialized read - however, you
> can't actually see anything happen unless you put something like a
> pr_warn() in tcp_parse_md5sig_option() to print the opsize.
...
> Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
> Signed-off-by: Jann Horn <ja...@google.com>
Applied and queued up for -stable, thank you.
