Page MenuHomeFreeBSD

Make TCP options parsing stricter
ClosedPublic

Authored by ae on Dec 10 2019, 12:43 PM.

Details

Summary

Rework tcpopts_parse() to be more strict. Add length checks for specific TCP options. The behavior is copied from tcp_input.c.
The main purpose of the change is avoiding of possible out of mbuf's data access.

Reported by: Maxime Villard

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 28059
Build 26207: arc lint + arc unit

Event Timeline

melifaro added inline comments.
sys/netpfil/ipfw/ip_fw2.c
333

Would help if we add a comment suggesting that the parsing logic mimics one from tcp_dooptions().

334

Since we're talking about safeness: can we change the signature to be const struct tcphdr *tcp?

338

Would it be possible to rename x to something more resembling the remaining byte count?

For example, tcp_dooptions() uses cnt for the similar purpose.

This revision is now accepted and ready to land.Dec 10 2019, 1:14 PM

Looks reasonable, with good suggestions from @melifaro

ae marked 3 inline comments as done.

Commited in rS355712.