From 6f313e9d4d7d5c94f9831a2f858e85a29e999df9 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Thu, 26 Jan 2012 16:11:16 +0000
Subject: [PATCH] -check tcp off value

---
 src/exit/gnunet-daemon-exit.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/exit/gnunet-daemon-exit.c b/src/exit/gnunet-daemon-exit.c
index b1d7d0d67..075e04aee 100644
--- a/src/exit/gnunet-daemon-exit.c
+++ b/src/exit/gnunet-daemon-exit.c
@@ -1573,6 +1573,11 @@ receive_tcp_service (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel,
     GNUNET_break_op (0);
     return GNUNET_SYSERR;
   }
+  if (start->tcp_header.off * 4 < sizeof (struct GNUNET_TUN_TcpHeader))
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
   GNUNET_break_op (ntohl (start->reserved) == 0);
   /* setup fresh connection */
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
@@ -1649,6 +1654,11 @@ receive_tcp_remote (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel,
     GNUNET_break_op (0);
     return GNUNET_SYSERR;
   }
+  if (start->tcp_header.off * 4 < sizeof (struct GNUNET_TUN_TcpHeader))
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
   af = (int) ntohl (start->af);
   state->ri.remote_address.af = af;
   switch (af)
@@ -1699,7 +1709,6 @@ receive_tcp_remote (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel,
 			   buf, sizeof (buf)),
 		(unsigned int) ntohs (start->tcp_header.dpt));  
   }
-
   state->ri.remote_address.proto = IPPROTO_TCP;
   state->ri.remote_address.port = ntohs (start->tcp_header.dpt);
   setup_state_record (state);
@@ -1757,6 +1766,11 @@ receive_tcp_data (void *cls GNUNET_UNUSED, struct GNUNET_MESH_Tunnel *tunnel,
 			      1, GNUNET_NO);
     return GNUNET_SYSERR;
   }
+  if (data->tcp_header.off * 4 < sizeof (struct GNUNET_TUN_TcpHeader))
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
   GNUNET_break_op (ntohl (data->reserved) == 0);
   {
     char buf[INET6_ADDRSTRLEN];
-- 
2.25.1