From e2383973cbca64f8e17ed7c4ad98258edfed6644 Mon Sep 17 00:00:00 2001
From: Chris Leech <cleech@redhat.com>
Date: Tue, 10 Nov 2020 13:36:37 -0800
Subject: [PATCH 1/4] check for header length underflow during checksum
 calculation

CVE-2020-13987
---
 iscsiuio/src/uip/uip.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
index e2ce2cc..cfff43c 100644
--- a/iscsiuio/src/uip/uip.c
+++ b/iscsiuio/src/uip/uip.c
@@ -316,7 +316,13 @@ static u16_t upper_layer_chksum_ipv4(struct uip_stack *ustack, u8_t proto)
 	tcp_ipv4_hdr = (struct uip_tcp_ipv4_hdr *)ustack->network_layer;
 
 	upper_layer_len = (((u16_t) (tcp_ipv4_hdr->len[0]) << 8) +
-			   tcp_ipv4_hdr->len[1]) - UIP_IPv4_H_LEN;
+			   tcp_ipv4_hdr->len[1]);
+	/* check for underflow from an invalid length field */
+	if (upper_layer_len < UIP_IPv4_H_LEN) {
+		/* return 0 as an invalid checksum */
+		return 0;
+	}
+	upper_layer_len -= UIP_IPv4_H_LEN;
 
 	/* First sum pseudoheader. */
 	/* IP protocol and length fields. This addition cannot carry. */
-- 
1.8.3.1