Re: tcp options bug?

Andi Kleen (ak@muc.de)
25 Sep 1998 20:41:32 +0200


koxaras@ceid.upatras.gr (Koxaras Aris) writes:

> I think there's a (harmless) bug in net/ipv4/tcp_input.c, in
> function tcp_options(). One can send "TCP_NOP,TCP_NOP,TCPOPT_MSS,4" as
> TCP options, forcing the kernel to read 2 more bytes after the end of
> the tcp packet options. This happens because tcp_options() does NOT check
> if length <= opsize. It only checks if opsize<=2.

It does this check. The check is implicit in the while loop condition
(if opsize >= length the length > 0 check becomes false). In 2.0 which
only understands the MSS option there is a opsize == 4 check in the MSS code
which prevents the read.

2.1 understands more options, but it does a (opsize > length) check.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/