Fix potential 1-byte overread in TCP option parsing.

A malformed TCP header could lead to a one-byte overread when
searching for the MSS option (but as far as we know, with no
adverse consequences).

Change outer loop to always ensure there's one extra byte available
in the buffer examined.

Technically, this would cause OpenVPN to ignore the only single-byte
TCP option available, 'NOP', if it ends up being the very last
option in the buffer - so what, it's a NOP anyway, and all we
are interested is MSS, which needs 4 bytes.
(https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml)

Found and reported by Guido Vranken <guidovranken@gmail.com>.

Trac: #745

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20170618194104.25179-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 22046a88342878cf43a9a553c83470eeaf97f000)

diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c
index 5978e7140195017b832dadc0932e91331e823598..f930942a2afb51ac66054ea0dbd8be5839e35844 100644 (file)
--- a/src/openvpn/mss.c
+++ b/src/openvpn/mss.c
@@ -146,7 +146,7 @@ mss_fixup_dowork (struct buffer *buf, uint16_t maxmss)
 
   for (olen = hlen - sizeof (struct openvpn_tcphdr),
         opt = (uint8_t *)(tc + 1);
-       olen > 0;
+       olen > 1;
        olen -= optlen, opt += optlen) {
     if (*opt == OPENVPN_TCPOPT_EOL)
       break;