riot-ci/RIOT
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

gnrc_tcp: check if option length field is present before accessing it

Browse Source 
TCP options have up to three fields (kind, length, value). The
current code only checks for the presence of the first field. Before
accessing the second field (length) the code must ensure that a length
field is even present.
This commit is contained in:
Sören Tempel 2019-09-16 13:03:25 +02:00
parent 018c15ae0c
commit e5503d62bf
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sys/include/net/tcp.h
View File

@ -49,6 +49,7 @@ extern "C" {
* @brief TCP option "length"-field values. * @brief TCP option "length"-field values.
* @{ * @{
*/ */
#define TCP_OPTION_LENGTH_MIN (2U) /**< Mimimum amount of bytes needed for an option with a length field */
#define TCP_OPTION_LENGTH_MSS (0x04) /**< MSS Option Size always 4 */ #define TCP_OPTION_LENGTH_MSS (0x04) /**< MSS Option Size always 4 */
/** @} */ /** @} */

4
sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c
View File

@ -51,7 +51,7 @@ int _option_parse(gnrc_tcp_tcb_t *tcb, tcp_hdr_t *hdr)
continue; continue;
case TCP_OPTION_KIND_MSS: case TCP_OPTION_KIND_MSS:
if (option->length > opt_left || option->length != TCP_OPTION_LENGTH_MSS) { if (opt_left < TCP_OPTION_LENGTH_MIN || option->length > opt_left || option->length != TCP_OPTION_LENGTH_MSS) {
DEBUG("gnrc_tcp_option.c : _option_parse() : invalid MSS Option length.\n"); DEBUG("gnrc_tcp_option.c : _option_parse() : invalid MSS Option length.\n");
return -1; return -1;
} }
@ -66,7 +66,7 @@ int _option_parse(gnrc_tcp_tcb_t *tcb, tcp_hdr_t *hdr)
return -1; return -1;
} }
if (option->length > opt_left) { if (opt_left < TCP_OPTION_LENGTH_MIN || option->length > opt_left) {
DEBUG("gnrc_tcp_option.c : _option_parse() : invalid option length\n"); DEBUG("gnrc_tcp_option.c : _option_parse() : invalid option length\n");
return 0; return 0;
} }