[src/netbsd-1-5]: src/sys/netinet pullup 1.112 -> 1.113 (approved by releng-1-5)

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/abe2a13b6494
branches:  netbsd-1-5
changeset: 488538:abe2a13b6494
user:      itojun <itojun%NetBSD.org@localhost>
date:      Sun Jul 16 01:27:13 2000 +0000

description:
pullup 1.112 -> 1.113 (approved by releng-1-5)
date: 2000/07/09 12:49:08;  author: itojun;  state: Exp;  lines: +4 -2
be more cautious about tcp option length field.  drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).

diffstat:

 sys/netinet/tcp_input.c |  6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diffs (21 lines):

diff -r c39f7ff38548 -r abe2a13b6494 sys/netinet/tcp_input.c
--- a/sys/netinet/tcp_input.c   Sun Jul 16 00:27:58 2000 +0000
+++ b/sys/netinet/tcp_input.c   Sun Jul 16 01:27:13 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tcp_input.c,v 1.108.4.1 2000/07/03 08:31:57 itojun Exp $       */
+/*     $NetBSD: tcp_input.c,v 1.108.4.2 2000/07/16 01:27:13 itojun Exp $       */
 
 /*
 %%% portions-copyright-nrl-95
@@ -2195,8 +2195,10 @@
                if (opt == TCPOPT_NOP)
                        optlen = 1;
                else {
+                       if (cnt < 2)
+                               break;
                        optlen = cp[1];
-                       if (optlen <= 0)
+                       if (optlen < 2 || optlen > cnt)
                                break;
                }
                switch (opt) {