check for header length underflow during checksum calculation

CVE-2020-13987
author: Chris Leech <cleech@redhat.com> 2020-11-10 13:36:37 -0800
committer: Chris Leech <cleech@redhat.com> 2020-12-18 10:16:18 -0800
commit: e2383973cbca64f8e17ed7c4ad98258edfed6644 (patch)
tree: 113fafdf0cd8712b2ab0c19e64b1296be01a295b /iscsiuio
parent: b680f6e81f2f05f7e721f0aa97ce8aa885b3f0ba (diff)
download: open-iscsi-e2383973cbca64f8e17ed7c4ad98258edfed6644.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
index e2ce2cc..cfff43c 100644
--- a/iscsiuio/src/uip/uip.c
+++ b/iscsiuio/src/uip/uip.c
@@ -316,7 +316,13 @@ static u16_t upper_layer_chksum_ipv4(struct uip_stack *ustack, u8_t proto)
 	tcp_ipv4_hdr = (struct uip_tcp_ipv4_hdr *)ustack->network_layer;
 
 	upper_layer_len = (((u16_t) (tcp_ipv4_hdr->len[0]) << 8) +
-			   tcp_ipv4_hdr->len[1]) - UIP_IPv4_H_LEN;
+			   tcp_ipv4_hdr->len[1]);
+	/* check for underflow from an invalid length field */
+	if (upper_layer_len < UIP_IPv4_H_LEN) {
+		/* return 0 as an invalid checksum */
+		return 0;
+	}
+	upper_layer_len -= UIP_IPv4_H_LEN;
 
 	/* First sum pseudoheader. */
 	/* IP protocol and length fields. This addition cannot carry. */
author	Chris Leech <cleech@redhat.com>	2020-11-10 13:36:37 -0800
committer	Chris Leech <cleech@redhat.com>	2020-12-18 10:16:18 -0800
commit	e2383973cbca64f8e17ed7c4ad98258edfed6644 (patch)
tree	113fafdf0cd8712b2ab0c19e64b1296be01a295b /iscsiuio
parent	b680f6e81f2f05f7e721f0aa97ce8aa885b3f0ba (diff)
download	open-iscsi-e2383973cbca64f8e17ed7c4ad98258edfed6644.tar.gz