sanchayanmaity/minix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

inet: detect short TCP option lengths

Browse source 
Previously, a TCP option length of zero would cause inet to end up
in an infinite loop.

This resolves #7, reported by Alejandro Hernandez.

Change-Id: I45ad4c789d10d8e202cf6e140a7b9db7a6543c75
This commit is contained in:
David van Moolenbroek 2014-11-18 12:45:46 +00:00
parent db1ca87b7d
commit 65eccd1f74
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
minix/net/inet/generic/tcp_lib.c
View file

@ -90,6 +90,8 @@ size_t *mssp;
if (i+2 > tcp_hdr_len) if (i+2 > tcp_hdr_len)
break; /* No length field */ break; /* No length field */
len= cp[1]; len= cp[1];
if (len < 2)
break; /* Length too short */
if (i+len > tcp_hdr_len) if (i+len > tcp_hdr_len)
break; /* Truncated option */ break; /* Truncated option */
i += len; i += len;