From 2520edd8fe438494934b915812125f2aebbc22b7 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Mon, 24 Aug 2020 17:26:07 +0000
Subject: [PATCH] Be more strict with TCP options parsing, avoid reading off
 the end of TCP options. See #2107

---
 tcpip.cc | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/tcpip.cc b/tcpip.cc
index 2658a8235..2c7715ef2 100644
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -1371,7 +1371,7 @@ static bool validateTCPhdr(const u8 *tcpc, unsigned len) {
   tcpc += (expected); \
 } while(0);
 
-  while (optlen > 0) {
+  while (optlen > 1) {
     hdrlen = *(tcpc + 1);
     switch (*tcpc) {
     case 0: // EOL
@@ -1411,6 +1411,15 @@ static bool validateTCPhdr(const u8 *tcpc, unsigned len) {
     }
   }
 
+  if (optlen == 1) {
+    // Only 1 byte left in options, this has to be NOP or EOL
+    return (*tcpc == 0 || *tcpc == 1);
+  }
+  else if (optlen < 0) {
+    // Last option claimed to be longer than options list
+    return false;
+  }
+
   return true;
 }