From 37f82ccd9f4f107cdfbe83598b6733c7a6c4fb77 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 4 Jan 2023 17:31:08 +0100
Subject: tcp: Explicitly check option length field values in tcp_opt_get()

Reported by Coverity (CWE-606, Untrusted loop bound), and actually
harmless because we'll exit the option-scanning loop if the remaining
length is not enough for a new option, instead of reading past the
header.

In any case, it looks like a good idea to explicitly check for
reasonable values of option lengths.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
---
 tcp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tcp.c b/tcp.c
index cfdae06..4744ac5 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1146,6 +1146,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find,
 			break;
 		default:
 			type = *(opts++);
+
+			if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len)
+				return -1;
+
 			optlen = *(opts++) - 2;
 			len -= 2;
 
-- 
cgit v1.2.3