clarartp / dpkt

Automatically exported from code.google.com/p/dpkt
Other
0 stars 0 forks source link

[patch] dpkt.tcp.parse_opts() infinite-loops on a 0-length option #113

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

Call dpkt.tcp.parse_opts() with a set of tcp options that includes a 0-length 
option.

dpkt.tcp.parse_opts('\x02\x00')

What is the expected output? What do you see instead?

The function call should terminate, but it infinite loops.

What version of the product are you using? On what operating system?

1.6 on linux

Please provide any additional information below.

This patch makes it advance through the buffer so that the function completes:

Index: /dpkt/1.6/dpkt/tcp.py
===================================================================
--- /dpkt/1.6/dpkt/tcp.py
+++ /dpkt/1.6/dpkt/tcp.py
@@ -83,7 +83,7 @@
         o = ord(buf[0])
         if o > TCP_OPT_NOP:
             try:
-                l = ord(buf[1])
+                l = max(1, ord(buf[1]))
                 d, buf = buf[2:l], buf[l:]
             except ValueError:
                 #print 'bad option', repr(str(buf))

Original issue reported on code.google.com by goog...@bstpierre.org on 30 Aug 2013 at 2:27

GoogleCodeExporter commented 9 years ago
See https://github.com/kbandla/dpkt/issues/139
This is fixed in 
https://github.com/kbandla/dpkt/commit/3c75b821e52d9a3ac01bc9a9dacb86b1c13c2fa0

Original comment by kbandla@in2void.com on 9 Jun 2015 at 8:14