From 0affe02b61bd29c83404270323f8e7a8b8c40a14 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Sun, 17 Dec 2017 20:20:17 +0100
Subject: ip/tinc: handle single byte noop and end-of-option-list tcp options
 in clampmss()

---
 sys/src/cmd/ip/tinc.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sys/src/cmd/ip/tinc.c b/sys/src/cmd/ip/tinc.c
index 31ac6e380..9d4b0bf91 100644
--- a/sys/src/cmd/ip/tinc.c
+++ b/sys/src/cmd/ip/tinc.c
@@ -970,9 +970,20 @@ clampmss(Host *d, uchar *p, int n, int o)
 		return;
 	if((e = p+(p[12]>>4)*4) > p+n)
 		return;
-	for(h = p+TcpHdr; h+4 <= e && h[1] > 0; h += h[1])
+	for(h = p+TcpHdr; h < e;){
+		switch(h[0]){
+		case 0:
+			return;
+		case 1:
+			h++;
+			continue;
+		}
+		if(h[1] < 2 || h[1] > e - h)
+			return;
 		if(h[0] == 2 && h[1] == 4)
 			goto Found;
+		h += h[1];
+	}
 	return;
 Found:
 	oldmss = h[2]<<8 | h[3];
-- 
cgit v1.2.3