diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-07-09 12:53:56 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-07-09 12:53:56 +0000 |
| commit | 575827cfc6b35a63328df8cec23f1309bfbf6ea1 (patch) | |
| tree | 49132190425d0b4cdb96064b12c48ff2fff55523 /sys | |
| parent | d5be48b42274b6ae153e9a71324b1714edc41c8f (diff) | |
be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/tcp_input.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index b556ce9ec4a..f30ddbbdf7d 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.65 2000/07/06 10:31:10 fgsch Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.66 2000/07/09 12:53:55 itojun Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -2110,8 +2110,10 @@ tcp_dooptions(tp, cp, cnt, th, ts_present, ts_val, ts_ecr) if (opt == TCPOPT_NOP) optlen = 1; else { + if (cnt < 2) + break; optlen = cp[1]; - if (optlen <= 0) + if (optlen < 2 || optlen > cnt) break; } switch (opt) { |