From 299e2a707701c40e1412e030df4a55e5334365f4 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon>
Date: Sat, 18 Oct 2008 15:24:06 +0000
Subject: [PATCH] fixed bug ##24596: Vulnerability on faulty TCP options length
 in tcp_parseopt

---
 CHANGELOG         | 4 ++++
 src/core/tcp_in.c | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index ca81a624..34d64a8d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -51,6 +51,10 @@ HISTORY
 
   ++ Bugfixes:
 
+  2008-10-18 Simon Goldschmidt
+  * tcp_in.c: fixed bug ##24596: Vulnerability on faulty TCP options length
+    in tcp_parseopt
+
   2008-10-15 Simon Goldschmidt
   * ip_frag.c: fixed bug #24517: IP reassembly crashes on unaligned IP headers
     by packing the struct ip_reass_helper.
diff --git a/src/core/tcp_in.c b/src/core/tcp_in.c
index 070ec7f4..765ac466 100644
--- a/src/core/tcp_in.c
+++ b/src/core/tcp_in.c
@@ -1308,7 +1308,7 @@ tcp_receive(struct tcp_pcb *pcb)
 static void
 tcp_parseopt(struct tcp_pcb *pcb)
 {
-  u8_t c;
+  u16_t c;
   u8_t *opts, opt;
   u16_t mss;