diff options
| author | Chris Leech <cleech@redhat.com> | 2020-11-10 13:55:18 -0800 |
|---|---|---|
| committer | Chris Leech <cleech@redhat.com> | 2020-12-18 10:16:18 -0800 |
| commit | 1f7968efff15eb737eb086a298cc1f0f0e308411 (patch) | |
| tree | 3d59770df341a718cb57702462c1bd5e5b253f46 /iscsiuio | |
| parent | e2383973cbca64f8e17ed7c4ad98258edfed6644 (diff) | |
| download | open-iscsi-1f7968efff15eb737eb086a298cc1f0f0e308411.tar.gz | |
check for u8 overflow when processing TCP options
CVE-2020-13988
Diffstat (limited to 'iscsiuio')
| -rw-r--r-- | iscsiuio/src/uip/uip.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c index cfff43c..522fd9d 100644 --- a/iscsiuio/src/uip/uip.c +++ b/iscsiuio/src/uip/uip.c @@ -1795,16 +1795,18 @@ found_listen: } else { /* All other options have a length field, so that we easily can skip past them. */ - if (ustack-> - uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + - c] == 0) { + if (ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c] == 0) { /* If the length field is zero, the options are malformed and we don't process them further. */ break; } - c += ustack->uip_buf[uip_ip_tcph_len + - UIP_LLH_LEN + 1 + c]; + if ((ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]) > (256 - c)) { + /* u8 overflow, actually there should + * never be more than 40 bytes of options */ + break; + } + c += ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]; } } } @@ -2010,6 +2012,14 @@ found: further. */ break; } + if ((ustack->uip_buf[uip_ip_tcph_len + + UIP_LLH_LEN + 1 + + c]) > (256 - c)) { + /* u8 overflow, actually there should + * never be more than 40 bytes of + * options */ + break; + } c += ustack-> uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + |