From 1f7968efff15eb737eb086a298cc1f0f0e308411 Mon Sep 17 00:00:00 2001
From: Chris Leech <cleech@redhat.com>
Date: Tue, 10 Nov 2020 13:55:18 -0800
Subject: [PATCH 2/4] check for u8 overflow when processing TCP options

CVE-2020-13988
---
 iscsiuio/src/uip/uip.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
index cfff43c..522fd9d 100644
--- a/iscsiuio/src/uip/uip.c
+++ b/iscsiuio/src/uip/uip.c
@@ -1795,16 +1795,18 @@ found_listen:
 			} else {
 				/* All other options have a length field, so
 				   that we easily can skip past them. */
-				if (ustack->
-				    uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 +
-					    c] == 0) {
+				if (ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c] == 0) {
 					/* If the length field is zero, the
 					   options are malformed
 					   and we don't process them further. */
 					break;
 				}
-				c += ustack->uip_buf[uip_ip_tcph_len +
-						     UIP_LLH_LEN + 1 + c];
+				if ((ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]) > (256 - c)) {
+					/* u8 overflow, actually there should
+					 * never be more than 40 bytes of options */
+					break;
+				}
+				c += ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c];
 			}
 		}
 	}
@@ -2010,6 +2012,14 @@ found:
 							   further. */
 							break;
 						}
+						if ((ustack->uip_buf[uip_ip_tcph_len
+							  + UIP_LLH_LEN + 1 +
+							  c]) > (256 - c)) {
+							/* u8 overflow, actually there should
+							 * never be more than 40 bytes of
+							 * options */
+							break;
+						}
 						c += ustack->
 						    uip_buf[uip_ip_tcph_len +
 							    UIP_LLH_LEN + 1 +
-- 
1.8.3.1