-check tcp off value

1 files changed, 15 insertions, 0 deletions

diff --git a/src/vpn/gnunet-service-vpn.c b/src/vpn/gnunet-service-vpn.c
index 796a4a6e1..7b29cbbd4 100644
--- a/src/vpn/gnunet-service-vpn.c
+++ b/src/vpn/gnunet-service-vpn.c
@@ -895,6 +895,11 @@ route_packet (struct DestinationEntry *destination,
         return;
       }
       udp = payload;
+      if (udp->len < sizeof (struct GNUNET_TUN_UdpHeader))
+      {
+        GNUNET_break_op (0);
+        return GNUNET_SYSERR;
+      }
       spt = ntohs (udp->spt);
       dpt = ntohs (udp->dpt);
       get_tunnel_key_from_ips (af,
@@ -915,6 +920,11 @@ route_packet (struct DestinationEntry *destination,
         return;
       }
       tcp = payload;
+      if (tcp->off * 4 < sizeof (struct GNUNET_TUN_TcpHeader))
+      {
+        GNUNET_break_op (0);
+        return GNUNET_SYSERR;
+      }
       spt = ntohs (tcp->spt);
       dpt = ntohs (tcp->dpt);
       get_tunnel_key_from_ips (af,
@@ -2203,6 +2213,11 @@ receive_tcp_back (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel,
                 inet_ntop (ts->af, &ts->source_ip, dbuf, sizeof (dbuf)),
                 ts->source_port);
   }
+  if (data->tcp_header.off * 4 < sizeof (struct GNUNET_TUN_TcpHeader))
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
   switch (ts->af)
   {
   case AF_INET: