diff options
author | Chris Leech <cleech@redhat.com> | 2020-11-10 14:14:11 -0800 |
---|---|---|
committer | Chris Leech <cleech@redhat.com> | 2020-12-18 10:16:18 -0800 |
commit | d63ce0d64c5abe9f285f14ce394660bfb9a16538 (patch) | |
tree | 6c4b44733c0eaeca73c0d6d0cfa843e9d43aa935 /iscsiuio | |
parent | 1f7968efff15eb737eb086a298cc1f0f0e308411 (diff) | |
download | open-iscsi-d63ce0d64c5abe9f285f14ce394660bfb9a16538.tar.gz |
check for TCP urgent pointer past end of frame
CVE-2020-17437
Diffstat (limited to 'iscsiuio')
-rw-r--r-- | iscsiuio/src/uip/uip.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c index 522fd9d..e0a7221 100644 --- a/iscsiuio/src/uip/uip.c +++ b/iscsiuio/src/uip/uip.c @@ -2095,11 +2095,16 @@ tcp_send_finack: } else { uip_urglen = 0; #else /* UIP_URGDATA > 0 */ - ustack->uip_appdata = - ((char *)ustack->uip_appdata) + - ((tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]); - ustack->uip_len -= - (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]; + tmp16 = (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]; + if (tmp16 <= ustack->uip_len) { + ustack->uip_appdata = ((char *)ustack->uip_appdata) + tmp16; + ustack->uip_len -= tmp16; + } else { + /* invalid urgent pointer length greater than frame */ + /* we're discarding urgent data anyway, throw it all out */ + ustack->uip_appdata = ((char *)ustack->uip_appdata) + ustack->uip_len; + ustack->uip_len = 0; + } #endif /* UIP_URGDATA > 0 */ } |