A malformed TCP header could lead to a one-byte overread when searching for the MSS option (but as far as we know, with no adverse consequences).
Change outer loop to always ensure there's one extra byte available in the buffer examined. Technically, this would cause OpenVPN to ignore the only single-byte TCP option available, 'NOP', if it ends up being the very last option in the buffer - so what, it's a NOP anyway, and all we are interested is MSS, which needs 4 bytes. (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml) Found and reported by Guido Vranken <guidovran...@gmail.com>. Trac: #745 Signed-off-by: Gert Doering <g...@greenie.muc.de> --- src/openvpn/mss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index ff24068..7c596d7 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -159,7 +159,7 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) for (olen = hlen - sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); - olen > 0; + olen > 1; olen -= optlen, opt += optlen) { if (*opt == OPENVPN_TCPOPT_EOL) -- 2.10.2 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
