From e5503d62bf092300932dceabccbadb7c20b02e55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= Date: Mon, 16 Sep 2019 13:03:25 +0200 Subject: [PATCH] gnrc_tcp: check if option length field is present before accessing it TCP options have up to three fields (kind, length, value). The current code only checks for the presence of the first field. Before accessing the second field (length) the code must ensure that a length field is even present. --- sys/include/net/tcp.h | 1 + sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/include/net/tcp.h b/sys/include/net/tcp.h index 408fed316b..899893c612 100644 --- a/sys/include/net/tcp.h +++ b/sys/include/net/tcp.h @@ -49,6 +49,7 @@ extern "C" { * @brief TCP option "length"-field values. * @{ */ +#define TCP_OPTION_LENGTH_MIN (2U) /**< Mimimum amount of bytes needed for an option with a length field */ #define TCP_OPTION_LENGTH_MSS (0x04) /**< MSS Option Size always 4 */ /** @} */ diff --git a/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c b/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c index aaca03fa6f..6b8c564073 100644 --- a/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c +++ b/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c @@ -51,7 +51,7 @@ int _option_parse(gnrc_tcp_tcb_t *tcb, tcp_hdr_t *hdr) continue; case TCP_OPTION_KIND_MSS: - if (option->length > opt_left || option->length != TCP_OPTION_LENGTH_MSS) { + if (opt_left < TCP_OPTION_LENGTH_MIN || option->length > opt_left || option->length != TCP_OPTION_LENGTH_MSS) { DEBUG("gnrc_tcp_option.c : _option_parse() : invalid MSS Option length.\n"); return -1; } @@ -66,7 +66,7 @@ int _option_parse(gnrc_tcp_tcb_t *tcb, tcp_hdr_t *hdr) return -1; } - if (option->length > opt_left) { + if (opt_left < TCP_OPTION_LENGTH_MIN || option->length > opt_left) { DEBUG("gnrc_tcp_option.c : _option_parse() : invalid option length\n"); return 0; }