When the last byte of options is a non-single-byte option kind, walkers
that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end
of the option area.

Handle single-byte options first, then check that a length byte is still
available before reading op[i + 1] in xt_tcpudp and xt_dccp option
walkers.

Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Cc: stable@vger.kernel.org
Signed-off-by: David Dull <monderasdor@gmail.com>
---
 net/netfilter/xt_dccp.c   | 8 ++++++--
 net/netfilter/xt_tcpudp.c | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index e5a13ecbe6..7f9e2d5c1b 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -62,10 +62,14 @@ dccp_find_option(u_int8_t option,
 			return true;
 		}
 
-		if (op[i] < 2 || i == optlen - 1)
+		if (op[i] < 2) {
 			i++;
-		else
+			continue;
+		}
+
+		if (i + 1 >= optlen)
+			break;
+
 			i += op[i + 1] ? : 1;
 	}
 
 	spin_unlock_bh(&dccp_buflock);
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index e8991130a3..4f29b1dd0f 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -59,10 +59,14 @@ tcp_find_option(u_int8_t option,
 
 	for (i = 0; i < optlen; ) {
 		if (op[i] == option) return !invert;
-		if (op[i] < 2 || i == optlen - 1)
+		if (op[i] < 2) {
 			i++;
-		else
+			continue;
+		}
+
+		if (i + 1 >= optlen)
+			break;
+
 			i += op[i + 1] ? : 1;
 	}
 
 	return invert;
-- 
2.43.0