From eddcc4c5b6b5f9a33dae0317860ee43ae217962b Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Fri, 14 Jan 2022 10:22:41 -0600 Subject: [PATCH] erp: Fix off by one error The intent of this check is to make sure that at least 2 bytes are available for reading. However, the unintended consequence is that tags with a zero length at the end of input would be rejected. While here, rework the check to be more resistant to potential overflow conditions. --- src/erp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/erp.c b/src/erp.c index e7c5fe86..7c11db46 100644 --- a/src/erp.c +++ b/src/erp.c @@ -117,7 +117,7 @@ static bool erp_tlv_iter_next(struct erp_tlv_iter *iter) unsigned int tag; unsigned int len; - if (iter->pos + 2 >= iter->max) + if (end - tlv < 2) return false; tag = *tlv++;