tcp: Explicitly check option length field values in tcp_opt_get()
Reported by Coverity (CWE-606, Untrusted loop bound), and actually harmless because we'll exit the option-scanning loop if the remaining length is not enough for a new option, instead of reading past the header. In any case, it looks like a good idea to explicitly check for reasonable values of option lengths. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
Stefano Brivio
parent
08c01f5b4e
commit
37f82ccd9f
1 changed files with 4 additions and 0 deletions
4
tcp.c
4
tcp.c
|
|
@ -1146,6 +1146,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find,
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
type = *(opts++);
|
type = *(opts++);
|
||||||
|
|
||||||
|
if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len)
|
||||||
|
return -1;
|
||||||
|
|
||||||
optlen = *(opts++) - 2;
|
optlen = *(opts++) - 2;
|
||||||
len -= 2;
|
len -= 2;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue