From c03750dc6ce5230ceb263974e99c2ef3ff4d3c61 Mon Sep 17 00:00:00 2001
From: Apple <opensource@apple.com>
Date: Sat, 4 Oct 2008 02:05:21 +0000
Subject: [PATCH] network_cmds-307.0.1.tar.gz

---
 alias/alias.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/alias/alias.c b/alias/alias.c
index 53273ab..a9e39c6 100644
--- a/alias/alias.c
+++ b/alias/alias.c
@@ -193,16 +193,22 @@ static void DoMSSClamp(struct tcphdr *tc)
 
     while (optionEnd > option)
     {
-        switch (option[0])
-        {
-            case TCPOPT_EOL:
-                option = optionEnd;
+        /* Bounds checking to avoid infinite loops */
+        if (option[0] == TCPOPT_EOL)
+            break;
+        
+        if (option[0] == TCPOPT_NOP) {
+            ++option;
+            continue;
+        } else {
+            if (optionEnd - option < 2)
                 break;
-
-            case TCPOPT_NOP:
-                ++option;
+            if (option[1] < 2 || option + option[1] >= optionEnd)
                 break;
+    	}
 
+        switch (option[0])
+        {
             case TCPOPT_MAXSEG:
                 if (option[1] == 4)
                 {
@@ -212,10 +218,11 @@ static void DoMSSClamp(struct tcphdr *tc)
                     if (packetAliasMSS < mssVal)
                     {
                         int accumulate = mssVal;
-		 	int accnetorder = 0 ;
+                        int accnetorder = 0 ;
+                        
                         accumulate -= packetAliasMSS;
                         *mssPtr = htons(packetAliasMSS);
-		 	accnetorder = htons(accumulate);
+                        accnetorder = htons(accumulate);
                         ADJUST_CHECKSUM(accnetorder, tc->th_sum);
                     }
 
-- 
2.45.2