Software: suricata, v. 4.1.4
Language: C
Risk: medium / high
Type: heap buffer overflow (logics bug)

Description: This bug was found by libFuzzer. During sending multiple IPv4 packets with invalid IPv4Options, the function "IPV4OptValidateTimestamp(...)" tried to access a memory region that was not allocated. We checked o->len < 5, so this is 2 bytes hdr, 3 bytes data. Then we flag = *(o->data +3) ... So we are beyond the 3 bytes; the code should actually not do the +3, but a +1.

Status: published