Reported by Coverity (CWE-606, Untrusted loop bound), and actually harmless because we'll exit the option-scanning loop if the remaining length is not enough for a new option, instead of reading past the header. In any case, it looks like a good idea to explicitly check for reasonable values of option lengths. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- tcp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tcp.c b/tcp.c index 26037b3..1e0a338 100644 --- a/tcp.c +++ b/tcp.c @@ -1117,6 +1117,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find, break; default: type = *(opts++); + + if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len) + return -1; + optlen = *(opts++) - 2; len -= 2; -- 2.35.1