aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2022-04-05 05:54:18 +0200
committerStefano Brivio <sbrivio@redhat.com>2022-04-05 18:47:07 +0200
commit6a3f6df865cc8b9626181c87b33b4f7723852a2f (patch)
tree4afedd3bbbe01de90845a45a62837436b1288c4b
parent975ee8eb2b786643e6123e60909220a0ca5b5b55 (diff)
downloadpasst-6a3f6df865cc8b9626181c87b33b4f7723852a2f.tar
passt-6a3f6df865cc8b9626181c87b33b4f7723852a2f.tar.gz
passt-6a3f6df865cc8b9626181c87b33b4f7723852a2f.tar.bz2
passt-6a3f6df865cc8b9626181c87b33b4f7723852a2f.tar.lz
passt-6a3f6df865cc8b9626181c87b33b4f7723852a2f.tar.xz
passt-6a3f6df865cc8b9626181c87b33b4f7723852a2f.tar.zst
passt-6a3f6df865cc8b9626181c87b33b4f7723852a2f.zip
tcp: False "Untrusted loop bound" positive, CWE-606
Field doff in struct tcp_hdr is 4 bits wide, so optlen in tcp_tap_handler() is already bound, but make that explicit. Reported by Coverity. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r--tcp.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/tcp.c b/tcp.c
index 1409c53..858eb41 100644
--- a/tcp.c
+++ b/tcp.c
@@ -2716,6 +2716,8 @@ int tcp_tap_handler(struct ctx *c, int af, const void *addr,
return 1;
optlen = th->doff * 4UL - sizeof(*th);
+ /* Static checkers might fail to see this: */
+ optlen = MIN(optlen, ((1UL << 4) /* from doff width */ - 6) * 4UL);
opts = packet_get(p, 0, sizeof(*th), optlen, NULL);
conn = tcp_hash_lookup(c, af, addr, htons(th->source), htons(th->dest));