mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
Fix potential 1-byte overread in TCP option parsing.
A malformed TCP header could lead to a one-byte overread when
searching for the MSS option (but as far as we know, with no
adverse consequences).
Change outer loop to always ensure there's one extra byte available
in the buffer examined.
Technically, this would cause OpenVPN to ignore the only single-byte
TCP option available, 'NOP', if it ends up being the very last
option in the buffer - so what, it's a NOP anyway, and all we
are interested is MSS, which needs 4 bytes.
(https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml)
Found and reported by Guido Vranken <guidovranken@gmail.com>.
Trac: #745
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170618194104.25179-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 22046a8834
)
This commit is contained in:
parent
479b6d13d8
commit
4d343fbe91
@ -146,7 +146,7 @@ mss_fixup_dowork (struct buffer *buf, uint16_t maxmss)
|
||||
|
||||
for (olen = hlen - sizeof (struct openvpn_tcphdr),
|
||||
opt = (uint8_t *)(tc + 1);
|
||||
olen > 0;
|
||||
olen > 1;
|
||||
olen -= optlen, opt += optlen) {
|
||||
if (*opt == OPENVPN_TCPOPT_EOL)
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user