From 31073835998016eb70982c69d0f2e5390dbc19b3 Mon Sep 17 00:00:00 2001
From: whitequark <whitequark@whitequark.org>
Date: Sat, 24 Jun 2017 12:29:39 +0000
Subject: [PATCH] Fix insufficient length validation in TCP packets.

Found via cargo-fuzz.
---
 src/wire/tcp.rs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/wire/tcp.rs b/src/wire/tcp.rs
index f1f93c973..f205106a3 100644
--- a/src/wire/tcp.rs
+++ b/src/wire/tcp.rs
@@ -118,6 +118,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
 
     /// Ensure that no accessor method will panic if called.
     /// Returns `Err(Error::Truncated)` if the buffer is too short.
+    /// Returns `Err(Error::Malformed)` if the header length field has a value smaller
+    /// than the minimal header length.
     ///
     /// The result of this check is invalidated by calling [set_header_len].
     ///
@@ -130,6 +132,8 @@ impl<T: AsRef<[u8]>> Packet<T> {
             let header_len = self.header_len() as usize;
             if len < header_len {
                 Err(Error::Truncated)
+            } else if header_len < field::URGENT.end {
+                Err(Error::Malformed)
             } else {
                 Ok(())
             }
@@ -877,6 +881,14 @@ mod test {
         assert_eq!(packet.check_len(), Err(Error::Truncated));
     }
 
+    #[test]
+    fn test_impossible_len() {
+        let mut bytes = vec![0; 20];
+        let mut packet = Packet::new(&mut bytes);
+        packet.set_header_len(10);
+        assert_eq!(packet.check_len(), Err(Error::Malformed));
+    }
+
     static SYN_PACKET_BYTES: [u8; 24] =
         [0xbf, 0x00, 0x00, 0x50,
          0x01, 0x23, 0x45, 0x67,