For some reason, Coverity only reports this (harmless) warning after David's series unifying IPv4 and IPv6 sockets for TCP: an untrusted loop bound (CWE-606) in tcp_opt_get(), coming from the fact that we use indeed the value of a TCP header field as loop bound. Note, though, that the loop already checks we're not exceeding the length of the option field, and this field is used as 8-bit unsigned value, so we can't really look for options past the end of the header. In any case, make Coverity happy with an explicit check. Signed-off-by: Stefano Brivio --- tcp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tcp.c b/tcp.c index 8044617..8874789 100644 --- a/tcp.c +++ b/tcp.c @@ -1146,7 +1146,11 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find, break; default: type = *(opts++); - optlen = *(opts++) - 2; + + if (*opts < 2 || *(uint8_t *)opts > len) + return -1; + + optlen = *((uint8_t *)opts++) - 2; len -= 2; if (type != type_find) -- 2.35.1