ref: 0affe02b61bd29c83404270323f8e7a8b8c40a14
parent: 15ff38e818d27d48fa8dd9450b0d4cb06b94b67d
author: cinap_lenrek <[email protected]>
date: Sun Dec 17 15:20:17 EST 2017
ip/tinc: handle single byte noop and end-of-option-list tcp options in clampmss()
--- a/sys/src/cmd/ip/tinc.c
+++ b/sys/src/cmd/ip/tinc.c
@@ -970,9 +970,20 @@
return;
if((e = p+(p[12]>>4)*4) > p+n)
return;
- for(h = p+TcpHdr; h+4 <= e && h[1] > 0; h += h[1])
+ for(h = p+TcpHdr; h < e;){
+ switch(h[0]){
+ case 0:
+ return;
+ case 1:
+ h++;
+ continue;
+ }
+ if(h[1] < 2 || h[1] > e - h)
+ return;
if(h[0] == 2 && h[1] == 4)
goto Found;
+ h += h[1];
+ }
return;
Found:
oldmss = h[2]<<8 | h[3];