diff options
| author |   itojun <itojun@openbsd.org> | 2000-07-09 12:53:55 +0000 |
|---|---|---|
| committer | itojun <itojun@openbsd.org> | 2000-07-09 12:53:55 +0000 |
| commit | a4847f22b24c3aac2e6b41fd6846d9e9745b8b70 (patch) | |
| tree | b7178fcc26862551d874f710dd97982ac27e7540 /sys/netinet/tcp_input.c | |
| parent | reject empty scopeid/numeric portname. sync with kame. (diff) | |
| download | wireguard-openbsd-a4847f22b24c3aac2e6b41fd6846d9e9745b8b70.tar.xz wireguard-openbsd-a4847f22b24c3aac2e6b41fd6846d9e9745b8b70.zip | |
be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
Diffstat (limited to 'sys/netinet/tcp_input.c')
| -rw-r--r-- | sys/netinet/tcp_input.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index b556ce9ec4a..f30ddbbdf7d 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.65 2000/07/06 10:31:10 fgsch Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.66 2000/07/09 12:53:55 itojun Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -2110,8 +2110,10 @@ tcp_dooptions(tp, cp, cnt, th, ts_present, ts_val, ts_ecr) if (opt == TCPOPT_NOP) optlen = 1; else { + if (cnt < 2) + break; optlen = cp[1]; - if (optlen <= 0) + if (optlen < 2 || optlen > cnt) break; } switch (opt) { |