tcp: Explicitly check option length field values in tcp_opt_get()

Reported by Coverity (CWE-606, Untrusted loop bound), and actually
harmless because we'll exit the option-scanning loop if the remaining
length is not enough for a new option, instead of reading past the
header.

In any case, it looks like a good idea to explicitly check for
reasonable values of option lengths.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
This commit is contained in:
Stefano Brivio 2023-01-04 17:31:08 +01:00
parent 08c01f5b4e
commit 37f82ccd9f

4
tcp.c
View file

@ -1146,6 +1146,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find,
break; break;
default: default:
type = *(opts++); type = *(opts++);
if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len)
return -1;
optlen = *(opts++) - 2; optlen = *(opts++) - 2;
len -= 2; len -= 2;