From 37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Wed, 4 Jan 2023 17:31:08 +0100 Subject: tcp: Explicitly check option length field values in tcp_opt_get() Reported by Coverity (CWE-606, Untrusted loop bound), and actually harmless because we'll exit the option-scanning loop if the remaining length is not enough for a new option, instead of reading past the header. In any case, it looks like a good idea to explicitly check for reasonable values of option lengths. Signed-off-by: Stefano Brivio Reviewed-by: David Gibson --- tcp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tcp.c b/tcp.c index cfdae06..4744ac5 100644 --- a/tcp.c +++ b/tcp.c @@ -1146,6 +1146,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find, break; default: type = *(opts++); + + if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len) + return -1; + optlen = *(opts++) - 2; len -= 2; -- cgit v1.2.3