|Software: suricata, v. 4.1.4|
|Risk: medium / high|
|Type: heap buffer overflow (logics bug)|
Description: This bug was found by libFuzzer. During sending multiple IPv4 packets with invalid IPv4Options, the function "IPV4OptValidateTimestamp(...)" tried to access a memory region that was not allocated. We checked o->len < 5, so this is 2 bytes hdr, 3 bytes data. Then we flag = *(o->data +3) ... So we are beyond the 3 bytes; the code should actually not do the +3, but a +1.