aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2023-01-04 17:31:08 +0100
committerStefano Brivio <sbrivio@redhat.com>2023-01-05 15:08:07 +0100
commit37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77 (patch)
tree8e94d2e9d5876f65a1256e45c0438d150098bf1a
parent08c01f5b4e26b0c525875ea697958d058c0d3b7c (diff)
downloadpasst-37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77.tar
passt-37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77.tar.gz
passt-37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77.tar.bz2
passt-37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77.tar.lz
passt-37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77.tar.xz
passt-37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77.tar.zst
passt-37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77.zip
tcp: Explicitly check option length field values in tcp_opt_get()
Reported by Coverity (CWE-606, Untrusted loop bound), and actually harmless because we'll exit the option-scanning loop if the remaining length is not enough for a new option, instead of reading past the header. In any case, it looks like a good idea to explicitly check for reasonable values of option lengths. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat
-rw-r--r--tcp.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/tcp.c b/tcp.c
index cfdae06..4744ac5 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1146,6 +1146,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find,
break;
default:
type = *(opts++);
+
+ if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len)
+ return -1;
+
optlen = *(opts++) - 2;
len -= 2;
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-16 05:09:13 +0000