inet: detect short TCP option lengths

Previously, a TCP option length of zero would cause inet to end up
in an infinite loop.

This resolves #7, reported by Alejandro Hernandez.

Change-Id: I45ad4c789d10d8e202cf6e140a7b9db7a6543c75

diff --git a/minix/net/inet/generic/tcp_lib.c b/minix/net/inet/generic/tcp_lib.c
index a25671beb2f89187c6b97652793e198518e2e65d..0306e6d3ab6fc8e2dfa6601fb76e752dedd92aee 100644 (file)
--- a/minix/net/inet/generic/tcp_lib.c
+++ b/minix/net/inet/generic/tcp_lib.c
@@ -90,6 +90,8 @@ size_t *mssp;
                if (i+2 > tcp_hdr_len)
                        break;  /* No length field */
                len= cp[1];
+               if (len < 2)
+                       break;  /* Length too short */
                if (i+len > tcp_hdr_len)
                        break;  /* Truncated option */
                i += len;