PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Be more strict with TCP options parsing, avoid reading off the end of TCP options. See #2107

Browse Source
This commit is contained in:
dmiller
2020-08-24 17:26:07 +00:00
parent 428c3e7700
commit 2520edd8fe
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
tcpip.cc
View File

@@ -1371,7 +1371,7 @@ static bool validateTCPhdr(const u8 *tcpc, unsigned len) {
tcpc += (expected); \ tcpc += (expected); \
} while(0); } while(0);
while (optlen > 0) { while (optlen > 1) {
hdrlen = *(tcpc + 1); hdrlen = *(tcpc + 1);
switch (*tcpc) { switch (*tcpc) {
case 0: // EOL case 0: // EOL
@@ -1411,6 +1411,15 @@ static bool validateTCPhdr(const u8 *tcpc, unsigned len) {
} }
} }
if (optlen == 1) {
// Only 1 byte left in options, this has to be NOP or EOL
return (*tcpc == 0 || *tcpc == 1);
}
else if (optlen < 0) {
// Last option claimed to be longer than options list
return false;
}
return true; return true;
} }