be more cautious about tcp option length field. drop bogus ones earlier.

not sure if there is a real threat or not, but it seems that there's possibility for overrun/underrun (like non-NOP option with optlen > cnt).
svn path=/head/; revision=62846
2000-07-09 13:01:59 +00:00 · 2000-07-09 13:01:59 +00:00 · b474779f46 · 2020-12-20 02:59:44 +00:00
commit b474779f46
parent e63b255aa6
2 changed files with 6 additions and 2 deletions
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@ -2329,8 +2329,10 @@ tcp_dooptions(tp, cp, cnt, th, to)
 		if (opt == TCPOPT_NOP)
 			optlen = 1;
 		else {
+			if (cnt < 2)
+				break;
 			optlen = cp[1];
-			if (optlen <= 0)
+			if (optlen < 2 || optlen > cnt)
 				break;
 		}
 		switch (opt) {
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@ -2329,8 +2329,10 @@ tcp_dooptions(tp, cp, cnt, th, to)
 		if (opt == TCPOPT_NOP)
 			optlen = 1;
 		else {
+			if (cnt < 2)
+				break;
 			optlen = cp[1];
-			if (optlen <= 0)
+			if (optlen < 2 || optlen > cnt)
 				break;
 		}
 		switch (opt) {