Am 18.06.17 um 21:41 schrieb Gert Doering: > A malformed TCP header could lead to a one-byte overread when > searching for the MSS option (but as far as we know, with no > adverse consequences). > > Change outer loop to always ensure there's one extra byte available > in the buffer examined. > > Technically, this would cause OpenVPN to ignore the only single-byte > TCP option available, 'NOP', if it ends up being the very last > option in the buffer - so what, it's a NOP anyway, and all we > are interested is MSS, which needs 4 bytes. > (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml) > > Found and reported by Guido Vranken <guidovran...@gmail.com>. > > Trac: #745 > > Signed-off-by: Gert Doering <g...@greenie.muc.de> > --- > src/openvpn/mss.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c > index ff24068..7c596d7 100644 > --- a/src/openvpn/mss.c > +++ b/src/openvpn/mss.c > @@ -159,7 +159,7 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) > > for (olen = hlen - sizeof(struct openvpn_tcphdr), > opt = (uint8_t *)(tc + 1); > - olen > 0; > + olen > 1; > olen -= optlen, opt += optlen) > { > if (*opt == OPENVPN_TCPOPT_EOL) >
ACK. That for is strangely formatted. I have to look very hard to figure out that. Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
