From: Gert Doering Date: Sun, 18 Jun 2017 19:41:04 +0000 (+0200) Subject: Fix potential 1-byte overread in TCP option parsing. X-Git-Tag: v2.4.3~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=529de430ce07d0c3210a4636b1cb4c89cc6c8fc1;p=thirdparty%2Fopenvpn.git Fix potential 1-byte overread in TCP option parsing. A malformed TCP header could lead to a one-byte overread when searching for the MSS option (but as far as we know, with no adverse consequences). Change outer loop to always ensure there's one extra byte available in the buffer examined. Technically, this would cause OpenVPN to ignore the only single-byte TCP option available, 'NOP', if it ends up being the very last option in the buffer - so what, it's a NOP anyway, and all we are interested is MSS, which needs 4 bytes. (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml) Found and reported by Guido Vranken . Trac: #745 Signed-off-by: Gert Doering Acked-by: Arne Schwabe Message-Id: <20170618194104.25179-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html Signed-off-by: Gert Doering (cherry picked from commit 22046a88342878cf43a9a553c83470eeaf97f000) --- diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index ff2406819..7c596d781 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -159,7 +159,7 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) for (olen = hlen - sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); - olen > 0; + olen > 1; olen -= optlen, opt += optlen) { if (*opt == OPENVPN_TCPOPT_EOL)