ip/tinc: handle single byte noop and end-of-option-list tcp options in clampmss()

author: cinap_lenrek <cinap_lenrek@felloff.net> 2017-12-17 20:20:17 +0100
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2017-12-17 20:20:17 +0100
commit: 0affe02b61bd29c83404270323f8e7a8b8c40a14 (patch)
tree: 9b856e5371a58a49c3f644c0470ca7778c8b33ce /sys/src/cmd/ip
parent: 15ff38e818d27d48fa8dd9450b0d4cb06b94b67d (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/sys/src/cmd/ip/tinc.c b/sys/src/cmd/ip/tinc.c
index 31ac6e380..9d4b0bf91 100644
--- a/sys/src/cmd/ip/tinc.c
+++ b/sys/src/cmd/ip/tinc.c
@@ -970,9 +970,20 @@ clampmss(Host *d, uchar *p, int n, int o)
 		return;
 	if((e = p+(p[12]>>4)*4) > p+n)
 		return;
-	for(h = p+TcpHdr; h+4 <= e && h[1] > 0; h += h[1])
+	for(h = p+TcpHdr; h < e;){
+		switch(h[0]){
+		case 0:
+			return;
+		case 1:
+			h++;
+			continue;
+		}
+		if(h[1] < 2 || h[1] > e - h)
+			return;
 		if(h[0] == 2 && h[1] == 4)
 			goto Found;
+		h += h[1];
+	}
 	return;
 Found:
 	oldmss = h[2]<<8 | h[3];
author	cinap_lenrek <cinap_lenrek@felloff.net>	2017-12-17 20:20:17 +0100
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2017-12-17 20:20:17 +0100
commit	0affe02b61bd29c83404270323f8e7a8b8c40a14 (patch)
tree	9b856e5371a58a49c3f644c0470ca7778c8b33ce /sys/src/cmd/ip
parent	15ff38e818d27d48fa8dd9450b0d4cb06b94b67d (diff)