riot-ci/RIOT
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #12249 from nmeum/pr/gnrc_tcp_option_length_access

Browse Source 
gnrc_tcp: check if option length field is present before accessing it
This commit is contained in:
benpicco 2019-09-17 23:22:53 +02:00 committed by GitHub
commit 7a818f0433
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sys/include/net/tcp.h
View File

@ -49,6 +49,7 @@ extern "C" {
* @brief TCP option "length"-field values. * @brief TCP option "length"-field values.
* @{ * @{
*/ */
#define TCP_OPTION_LENGTH_MIN (2U) /**< Mimimum amount of bytes needed for an option with a length field */
#define TCP_OPTION_LENGTH_MSS (0x04) /**< MSS Option Size always 4 */ #define TCP_OPTION_LENGTH_MSS (0x04) /**< MSS Option Size always 4 */
/** @} */ /** @} */

4
sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c
View File

@ -51,7 +51,7 @@ int _option_parse(gnrc_tcp_tcb_t *tcb, tcp_hdr_t *hdr)
continue; continue;
case TCP_OPTION_KIND_MSS: case TCP_OPTION_KIND_MSS:
if (option->length > opt_left || option->length != TCP_OPTION_LENGTH_MSS) { if (opt_left < TCP_OPTION_LENGTH_MIN || option->length > opt_left || option->length != TCP_OPTION_LENGTH_MSS) {
DEBUG("gnrc_tcp_option.c : _option_parse() : invalid MSS Option length.\n"); DEBUG("gnrc_tcp_option.c : _option_parse() : invalid MSS Option length.\n");
return -1; return -1;
} }
@ -66,7 +66,7 @@ int _option_parse(gnrc_tcp_tcb_t *tcb, tcp_hdr_t *hdr)
return -1; return -1;
} }
if (option->length > opt_left) { if (opt_left < TCP_OPTION_LENGTH_MIN || option->length > opt_left) {
DEBUG("gnrc_tcp_option.c : _option_parse() : invalid option length\n"); DEBUG("gnrc_tcp_option.c : _option_parse() : invalid option length\n");
return 0; return 0;
} }