From 4d343fbe9166e14187775567db00c0a91017df83 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Sun, 18 Jun 2017 21:41:04 +0200 Subject: [PATCH] Fix potential 1-byte overread in TCP option parsing. A malformed TCP header could lead to a one-byte overread when searching for the MSS option (but as far as we know, with no adverse consequences). Change outer loop to always ensure there's one extra byte available in the buffer examined. Technically, this would cause OpenVPN to ignore the only single-byte TCP option available, 'NOP', if it ends up being the very last option in the buffer - so what, it's a NOP anyway, and all we are interested is MSS, which needs 4 bytes. (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml) Found and reported by Guido Vranken . Trac: #745 Signed-off-by: Gert Doering Acked-by: Arne Schwabe Message-Id: <20170618194104.25179-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14874.html Signed-off-by: Gert Doering (cherry picked from commit 22046a88342878cf43a9a553c83470eeaf97f000) --- src/openvpn/mss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 5978e7140..f930942a2 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -146,7 +146,7 @@ mss_fixup_dowork (struct buffer *buf, uint16_t maxmss) for (olen = hlen - sizeof (struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); - olen > 0; + olen > 1; olen -= optlen, opt += optlen) { if (*opt == OPENVPN_TCPOPT_EOL) break; -- 2.47.2