dccp: Silently ignore options with nonsensical lengths

[cascardo/linux.git] / net / dccp / options.c

diff --git a/net/dccp/options.c b/net/dccp/options.c
index dc7c158..4284f08 100644 (file)
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -81,11 +81,11 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
                /* Check if this isn't a single byte option */
                if (opt > DCCPO_MAX_RESERVED) {
                        if (opt_ptr == opt_end)
-                               goto out_invalid_option;
+                               goto out_nonsensical_length;
 
                        len = *opt_ptr++;
-                       if (len < 3)
-                               goto out_invalid_option;
+                       if (len < 2)
+                               goto out_nonsensical_length;
                        /*
                         * Remove the type and len fields, leaving
                         * just the value size
@@ -95,7 +95,7 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
                        opt_ptr += len;
 
                        if (opt_ptr > opt_end)
-                               goto out_invalid_option;
+                               goto out_nonsensical_length;
                }
 
                /*
@@ -283,6 +283,8 @@ ignore_option:
        if (mandatory)
                goto out_invalid_option;
 
+out_nonsensical_length:
+       /* RFC 4340, 5.8: ignore option and all remaining option space */
        return 0;
 
 out_invalid_option: