From mboxrd@z Thu Jan  1 00:00:00 1970
Received: by passt.top (Postfix, from userid 1000)
	id 338385A0268; Wed,  4 Jan 2023 18:44:21 +0100 (CET)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH] tcp: Explicitly check option length field values in tcp_opt_get()
Date: Wed,  4 Jan 2023 18:44:21 +0100
Message-Id: <20230104174421.633847-1-sbrivio@redhat.com>
X-Mailer: git-send-email 2.35.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: N3TYDOWIYR6CNAZLKX3RNHY7XIE2WDNP
X-Message-ID-Hash: N3TYDOWIYR6CNAZLKX3RNHY7XIE2WDNP
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20230104174421.633847-1-sbrivio@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/N3TYDOWIYR6CNAZLKX3RNHY7XIE2WDNP/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Reported by Coverity (CWE-606, Untrusted loop bound), and actually
harmless because we'll exit the option-scanning loop if the remaining
length is not enough for a new option, instead of reading past the
header.

In any case, it looks like a good idea to explicitly check for
reasonable values of option lengths.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 tcp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tcp.c b/tcp.c
index 26037b3..1e0a338 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1117,6 +1117,10 @@ static int tcp_opt_get(const char *opts, size_t len, uint8_t type_find,
 			break;
 		default:
 			type = *(opts++);
+
+			if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len)
+				return -1;
+
 			optlen = *(opts++) - 2;
 			len -= 2;
 
-- 
2.35.1