From 3d896ba0a37ff3ce73270ca5e230707fe47f60e3 Mon Sep 17 00:00:00 2001
From: Erik Ekman <erik@kryo.se>
Date: Tue, 16 Jun 2026 08:16:37 +0200
Subject: [PATCH] tcp_in: Add bounds check for next option byte

To allow reading the length byte of an option without verifying the
remaining length. Return zero when reading after available options
to trigger length checks.
---
 src/core/tcp_in.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/core/tcp_in.c b/src/core/tcp_in.c
index 37c6bb61..7c8b71cd 100644
--- a/src/core/tcp_in.c
+++ b/src/core/tcp_in.c
@@ -1904,6 +1904,10 @@ static u8_t
 tcp_get_next_optbyte(void)
 {
   u16_t optidx = tcp_optidx++;
+  if (optidx >= tcphdr_optlen) {
+    /* Return 0 for any excess reads (like length fields) */
+    return LWIP_TCP_OPT_EOL;
+  }
   if ((tcphdr_opt2 == NULL) || (optidx < tcphdr_opt1len)) {
     u8_t *opts = (u8_t *)tcphdr + TCP_HLEN;
     return opts[optidx];