From: David van Moolenbroek Date: Tue, 18 Nov 2014 12:45:46 +0000 (+0000) Subject: inet: detect short TCP option lengths X-Git-Url: http://zhaoyanbai.com/repos/%22http:/www.isc.org/icons/zpipe.c?a=commitdiff_plain;h=65eccd1f74fb9a088de3a5c528079d45e11df3ac;p=minix.git inet: detect short TCP option lengths Previously, a TCP option length of zero would cause inet to end up in an infinite loop. This resolves #7, reported by Alejandro Hernandez. Change-Id: I45ad4c789d10d8e202cf6e140a7b9db7a6543c75 --- diff --git a/minix/net/inet/generic/tcp_lib.c b/minix/net/inet/generic/tcp_lib.c index a25671beb..0306e6d3a 100644 --- a/minix/net/inet/generic/tcp_lib.c +++ b/minix/net/inet/generic/tcp_lib.c @@ -90,6 +90,8 @@ size_t *mssp; if (i+2 > tcp_hdr_len) break; /* No length field */ len= cp[1]; + if (len < 2) + break; /* Length too short */ if (i+len > tcp_hdr_len) break; /* Truncated option */ i += len;