From 0d2806354e0358c8df71b0d46283f6dbf0a1914f Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Thu, 26 Jan 2012 16:11:25 +0000
Subject: [PATCH] -check tcp off value

---
 src/vpn/gnunet-service-vpn.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/vpn/gnunet-service-vpn.c b/src/vpn/gnunet-service-vpn.c
index 796a4a6e1..7b29cbbd4 100644
--- a/src/vpn/gnunet-service-vpn.c
+++ b/src/vpn/gnunet-service-vpn.c
@@ -895,6 +895,11 @@ route_packet (struct DestinationEntry *destination,
 	return;
       }
       udp = payload;
+      if (udp->len < sizeof (struct GNUNET_TUN_UdpHeader))
+      {
+	GNUNET_break_op (0);
+	return GNUNET_SYSERR;
+      }
       spt = ntohs (udp->spt);
       dpt = ntohs (udp->dpt);
       get_tunnel_key_from_ips (af,
@@ -915,6 +920,11 @@ route_packet (struct DestinationEntry *destination,
 	return;
       }
       tcp = payload;
+      if (tcp->off * 4 < sizeof (struct GNUNET_TUN_TcpHeader))
+      {
+	GNUNET_break_op (0);
+	return GNUNET_SYSERR;
+      }
       spt = ntohs (tcp->spt);
       dpt = ntohs (tcp->dpt);
       get_tunnel_key_from_ips (af,
@@ -2203,6 +2213,11 @@ receive_tcp_back (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel,
 		inet_ntop (ts->af, &ts->source_ip, dbuf, sizeof (dbuf)),
 		ts->source_port);
   }
+  if (data->tcp_header.off * 4 < sizeof (struct GNUNET_TUN_TcpHeader))
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
   switch (ts->af)
   {
   case AF_INET:
-- 
2.25.1