abc/lwip
1
0
Fork 0
mirror of https://git.savannah.nongnu.org/git/lwip.git synced 2026-06-17 18:33:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

tcp_in: Add bounds check for next option byte

Browse Source 
To allow reading the length byte of an option without verifying the
remaining length. Return zero when reading after available options
to trigger length checks.
This commit is contained in:
Erik Ekman
2026-06-16 08:16:37 +02:00
parent 8e75a40acf
commit 3d896ba0a3
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/core/tcp_in.c
View File

@@ -1904,6 +1904,10 @@ static u8_t
tcp_get_next_optbyte(void) tcp_get_next_optbyte(void)
{ {
u16_t optidx = tcp_optidx++; u16_t optidx = tcp_optidx++;
if (optidx >= tcphdr_optlen) {
/* Return 0 for any excess reads (like length fields) */
return LWIP_TCP_OPT_EOL;
}
if ((tcphdr_opt2 == NULL) || (optidx < tcphdr_opt1len)) { if ((tcphdr_opt2 == NULL) || (optidx < tcphdr_opt1len)) {
u8_t *opts = (u8_t *)tcphdr + TCP_HLEN; u8_t *opts = (u8_t *)tcphdr + TCP_HLEN;
return opts[optidx]; return opts[optidx];