From 65eccd1f74fb9a088de3a5c528079d45e11df3ac Mon Sep 17 00:00:00 2001 From: David van Moolenbroek Date: Tue, 18 Nov 2014 12:45:46 +0000 Subject: [PATCH] inet: detect short TCP option lengths Previously, a TCP option length of zero would cause inet to end up in an infinite loop. This resolves #7, reported by Alejandro Hernandez. Change-Id: I45ad4c789d10d8e202cf6e140a7b9db7a6543c75 --- minix/net/inet/generic/tcp_lib.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/minix/net/inet/generic/tcp_lib.c b/minix/net/inet/generic/tcp_lib.c index a25671beb..0306e6d3a 100644 --- a/minix/net/inet/generic/tcp_lib.c +++ b/minix/net/inet/generic/tcp_lib.c @@ -90,6 +90,8 @@ size_t *mssp; if (i+2 > tcp_hdr_len) break; /* No length field */ len= cp[1]; + if (len < 2) + break; /* Length too short */ if (i+len > tcp_hdr_len) break; /* Truncated option */ i += len;