From d63ce0d64c5abe9f285f14ce394660bfb9a16538 Mon Sep 17 00:00:00 2001
From: Chris Leech <cleech@redhat.com>
Date: Tue, 10 Nov 2020 14:14:11 -0800
Subject: check for TCP urgent pointer past end of frame

CVE-2020-17437
---
 iscsiuio/src/uip/uip.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
index 522fd9d..e0a7221 100644
--- a/iscsiuio/src/uip/uip.c
+++ b/iscsiuio/src/uip/uip.c
@@ -2095,11 +2095,16 @@ tcp_send_finack:
 		} else {
 			uip_urglen = 0;
 #else /* UIP_URGDATA > 0 */
-			ustack->uip_appdata =
-			    ((char *)ustack->uip_appdata) +
-			    ((tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]);
-			ustack->uip_len -=
-			    (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1];
+			tmp16 = (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1];
+			if (tmp16 <= ustack->uip_len) {
+				ustack->uip_appdata = ((char *)ustack->uip_appdata) + tmp16;
+				ustack->uip_len -= tmp16;
+			} else {
+				/* invalid urgent pointer length greater than frame */
+				/* we're discarding urgent data anyway, throw it all out */
+				ustack->uip_appdata = ((char *)ustack->uip_appdata) + ustack->uip_len;
+				ustack->uip_len = 0;
+			}
 #endif /* UIP_URGDATA > 0 */
 		}
 
-- 
cgit v1.2.1