From 529de430ce07d0c3210a4636b1cb4c89cc6c8fc1 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Sun, 18 Jun 2017 21:41:04 +0200 Subject: [PATCH] Fix potential 1-byte overread in TCP option parsing. A malformed TCP header could lead to a one-byte overread when searching for the MSS option (but as far as we know, with no adverse consequences). Change outer loop to always ensure there's one extra byte available in the buffer examined. Technically, this would cause OpenVPN to ignore the only single-byte TCP option available, 'NOP', if it ends up being the very last option in the buffer - so what, it's a NOP anyway, and all we are interested is MSS, which needs 4 bytes. (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml) Found and reported by Guido Vranken . Trac: #745 Signed-off-by: Gert Doering Acked-by: Arne Schwabe Message-Id: <20170618194104.25179-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html Signed-off-by: Gert Doering (cherry picked from commit 22046a88342878cf43a9a553c83470eeaf97f000) --- src/openvpn/mss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index ff2406819..7c596d781 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -159,7 +159,7 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) for (olen = hlen - sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); - olen > 0; + olen > 1; olen -= optlen, opt += optlen) { if (*opt == OPENVPN_TCPOPT_EOL) -- 2.47.3