Fix insufficient length validation in TCP packets.

Found via cargo-fuzz.
smoltcp-rs · Jun 24, 2017 · 3107383 · 3107383
1 parent 2989fa3
commit 3107383
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/src/wire/tcp.rs b/src/wire/tcp.rs
@@ -118,6 +118,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
 
     /// Ensure that no accessor method will panic if called.
     /// Returns `Err(Error::Truncated)` if the buffer is too short.
+    /// Returns `Err(Error::Malformed)` if the header length field has a value smaller
+    /// than the minimal header length.
     ///
     /// The result of this check is invalidated by calling [set_header_len].
     ///
@@ -130,6 +132,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
             let header_len = self.header_len() as usize;
             if len < header_len {
                 Err(Error::Truncated)
+            } else if header_len < field::URGENT.end {
+                Err(Error::Malformed)
             } else {
                 Ok(())
             }
@@ -877,6 +881,14 @@ mod test {
         assert_eq!(packet.check_len(), Err(Error::Truncated));
     }
 
+    #[test]
+    fn test_impossible_len() {
+        let mut bytes = vec![0; 20];
+        let mut packet = Packet::new(&mut bytes);
+        packet.set_header_len(10);
+        assert_eq!(packet.check_len(), Err(Error::Malformed));
+    }
+
     static SYN_PACKET_BYTES: [u8; 24] =
         [0xbf, 0x00, 0x00, 0x50,
          0x01, 0x23, 0x45, 0x67,