Reported by Coverity (CWE-606, Untrusted loop bound), and actually
harmless because we'll exit the option-scanning loop if the remaining
length is not enough for a new option, instead of reading past the
header.
In any case, it looks like a good idea to explicitly check for
reasonable values of option lengths.
Signed-off-by: Stefano Brivio
---
tcp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tcp.c b/tcp.c
index 26037b3..1e0a338 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1117,6 +1117,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find,
break;
default:
type = *(opts++);
+
+ if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len)
+ return -1;
+
optlen = *(opts++) - 2;
len -= 2;
--
2.35.1