diff options
author | Chris Leech <cleech@redhat.com> | 2020-11-10 13:36:37 -0800 |
---|---|---|
committer | Chris Leech <cleech@redhat.com> | 2020-12-18 10:16:18 -0800 |
commit | e2383973cbca64f8e17ed7c4ad98258edfed6644 (patch) | |
tree | 113fafdf0cd8712b2ab0c19e64b1296be01a295b /iscsiuio | |
parent | b680f6e81f2f05f7e721f0aa97ce8aa885b3f0ba (diff) | |
download | open-iscsi-e2383973cbca64f8e17ed7c4ad98258edfed6644.tar.gz |
check for header length underflow during checksum calculation
CVE-2020-13987
Diffstat (limited to 'iscsiuio')
-rw-r--r-- | iscsiuio/src/uip/uip.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c index e2ce2cc..cfff43c 100644 --- a/iscsiuio/src/uip/uip.c +++ b/iscsiuio/src/uip/uip.c @@ -316,7 +316,13 @@ static u16_t upper_layer_chksum_ipv4(struct uip_stack *ustack, u8_t proto) tcp_ipv4_hdr = (struct uip_tcp_ipv4_hdr *)ustack->network_layer; upper_layer_len = (((u16_t) (tcp_ipv4_hdr->len[0]) << 8) + - tcp_ipv4_hdr->len[1]) - UIP_IPv4_H_LEN; + tcp_ipv4_hdr->len[1]); + /* check for underflow from an invalid length field */ + if (upper_layer_len < UIP_IPv4_H_LEN) { + /* return 0 as an invalid checksum */ + return 0; + } + upper_layer_len -= UIP_IPv4_H_LEN; /* First sum pseudoheader. */ /* IP protocol and length fields. This addition cannot carry. */ |