diff options
author | itojun <itojun@FreeBSD.org> | 2000-07-09 13:01:59 +0000 |
---|---|---|
committer | itojun <itojun@FreeBSD.org> | 2000-07-09 13:01:59 +0000 |
commit | 56bc1eab2de553abe94956616dcfe8a47fe830d7 (patch) | |
tree | 1a01ea30fcb7e0e1672f06b27015f340144ea4ed /sys/netinet | |
parent | 9ca0f51b02db8b54d4f2f683d8e79ae01346f911 (diff) | |
download | FreeBSD-src-56bc1eab2de553abe94956616dcfe8a47fe830d7.zip FreeBSD-src-56bc1eab2de553abe94956616dcfe8a47fe830d7.tar.gz |
be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/tcp_input.c | 4 | ||||
-rw-r--r-- | sys/netinet/tcp_reass.c | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 9cdff6a..427e6c7 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -2329,8 +2329,10 @@ tcp_dooptions(tp, cp, cnt, th, to) if (opt == TCPOPT_NOP) optlen = 1; else { + if (cnt < 2) + break; optlen = cp[1]; - if (optlen <= 0) + if (optlen < 2 || optlen > cnt) break; } switch (opt) { diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 9cdff6a..427e6c7 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -2329,8 +2329,10 @@ tcp_dooptions(tp, cp, cnt, th, to) if (opt == TCPOPT_NOP) optlen = 1; else { + if (cnt < 2) + break; optlen = cp[1]; - if (optlen <= 0) + if (optlen < 2 || optlen > cnt) break; } switch (opt) { |