Fix potential 1-byte overread in TCP option parsing.
A malformed TCP header could lead to a one-byte overread when
searching for the MSS option (but as far as we know, with no
adverse consequences).
Change outer loop to always ensure there's one extra byte available
in the buffer examined.
Technically, this would cause OpenVPN to ignore the only single-byte
TCP option available, 'NOP', if it ends up being the very last
option in the buffer - so what, it's a NOP anyway, and all we
are interested is MSS, which needs 4 bytes.
(https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml)
Found and reported by Guido Vranken <guidovranken@gmail.com>.
Trac: #745
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170618194104.25179-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering authored on 2017/06/19 04:41:04Showing 1 changed files
| ... | ... |
@@ -159,7 +159,7 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) |
| 159 | 159 |
|
| 160 | 160 |
for (olen = hlen - sizeof(struct openvpn_tcphdr), |
| 161 | 161 |
opt = (uint8_t *)(tc + 1); |
| 162 |
- olen > 0; |
|
| 162 |
+ olen > 1; |
|
| 163 | 163 |
olen -= optlen, opt += optlen) |
| 164 | 164 |
{
|
| 165 | 165 |
if (*opt == OPENVPN_TCPOPT_EOL) |