From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 15E265A0271 for ; Thu, 5 Jan 2023 06:45:49 +0100 (CET) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4Nnb6Z0yyxz4y0B; Thu, 5 Jan 2023 16:45:42 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1672897542; bh=kYS4/cQjqbZF/Ttc4I8eB2yQgtww+wuBOLWomlWql58=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hDUUdQl632d+XGdG44N5H4NJEBWBD9amhqPGzOYygY3jopncg5YKa2xOuC6chWw4R jDWgMc78HwrpUvTAM3jbV+ix+KWMcyJ/aEPn8Da8zasVRUOSoG2J+XWegU3QYAcd6x RQ60+OgizQDt1Y/Wfh/S+XsulB5E0gpUqksCCly8= Date: Thu, 5 Jan 2023 15:34:19 +1100 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] tcp: Explicitly check option length field values in tcp_opt_get() Message-ID: References: <20230104174421.633847-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xzTgQ6y3bO/SRDj9" Content-Disposition: inline In-Reply-To: <20230104174421.633847-1-sbrivio@redhat.com> Message-ID-Hash: YNATLCGNZ6ILEXTTD4VYN7EBMIZ7BUGS X-Message-ID-Hash: YNATLCGNZ6ILEXTTD4VYN7EBMIZ7BUGS X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --xzTgQ6y3bO/SRDj9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 04, 2023 at 06:44:21PM +0100, Stefano Brivio wrote: > Reported by Coverity (CWE-606, Untrusted loop bound), and actually > harmless because we'll exit the option-scanning loop if the remaining > length is not enough for a new option, instead of reading past the > header. >=20 > In any case, it looks like a good idea to explicitly check for > reasonable values of option lengths. >=20 > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson > --- > tcp.c | 4 ++++ > 1 file changed, 4 insertions(+) >=20 > diff --git a/tcp.c b/tcp.c > index 26037b3..1e0a338 100644 > --- a/tcp.c > +++ b/tcp.c > @@ -1117,6 +1117,10 @@ static int tcp_opt_get(const char *opts, size_t le= n, uint8_t type_find, > break; > default: > type =3D *(opts++); > + > + if (*(uint8_t *)opts < 2 || *(uint8_t *)opts > len) > + return -1; > + > optlen =3D *(opts++) - 2; > len -=3D 2; > =20 --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --xzTgQ6y3bO/SRDj9 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoULxWu4/Ws0dB+XtgypY4gEwYSIFAmO2U0UACgkQgypY4gEw YSK14g//TkTLnX1IPTEdo99Pfjyx46L62PpZ8YkgFTYF74X49VQpJiCRrgR6RDpA Fm9BnQcCzSs+moL2RrXU0LN04IcDK/PsKa7Gfpmc1esab3ND1W9qA6JveZ7VhLIu dDBv3877sbVgX6jzaS1+Gfiy9EsnGXuPHuUZLwvytkg7bL22RXfs9SAVe6VEEVwX mKdOX3Pb4b6W14rJ8VFYyYnf8GdCIJ9OmXwmJOugpsGJzz2BjphR7mYvAPu63cm8 wskmCWs+lGM0mIadN3emGHHnreUXsZcb4kuyCzZhMIEiXQciaa9d8SX8qBeIUfV7 V+nhXymMVaqwiYEKzT/alHw4UE1wBAZsLGNPsGWQ7VGjg7SdHB8woThRMhbwj/9T e9gJl9NTZJ90tMrsOlvlwbEnHJhqrOSU3Rt26Up0cqTvFC4VmkItEq4fp0fJB8a9 0KH5bdolgCCSHkMkKVU7qhY+vJItqc6fA9B7BwHdxfAf6oWVFfYwB4EMv2BREln/ 1/lsgnZp7RFlyAEnm2pdfCbiRXSdSaGR5/h82XLSXSuQUoC4YRDupPHwIpP0rfyv XhS+FXvR81hOjA5D/OAJiSPCm2h6H1247sJEUq/UYu5LkQPSE+gVoMNA7YqpRyYl 1uutp42aV+nEoWLud7fRgRmDQCJ1yTpphglKtAyrXtz70lN/rqs= =3lio -----END PGP SIGNATURE----- --xzTgQ6y3bO/SRDj9--