[PATCH] tcp: Explicitly check option length field values in tcp_opt_get()
Reported by Coverity (CWE-606, Untrusted loop bound), and actually
harmless because we'll exit the option-scanning loop if the remaining
length is not enough for a new option, instead of reading past the
header.
In any case, it looks like a good idea to explicitly check for
reasonable values of option lengths.
Signed-off-by: Stefano Brivio
On Wed, Jan 04, 2023 at 06:44:21PM +0100, Stefano Brivio wrote:
Reported by Coverity (CWE-606, Untrusted loop bound), and actually harmless because we'll exit the option-scanning loop if the remaining length is not enough for a new option, instead of reading past the header.
In any case, it looks like a good idea to explicitly check for reasonable values of option lengths.
Signed-off-by: Stefano Brivio
Reviewed-by: David Gibson
--- tcp.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/tcp.c b/tcp.c index 26037b3..1e0a338 100644 --- a/tcp.c +++ b/tcp.c @@ -1117,6 +1117,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find, break; default: type = *(opts++); + + if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len) + return -1; + optlen = *(opts++) - 2; len -= 2;
-- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
participants (2)
-
David Gibson
-
Stefano Brivio