From f8fef0dd05e87c3bf25e4e5c0bcf136e94c98393 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Tue, 5 Jan 2021 09:31:11 -0500
Subject: [PATCH] decode/tcp: Improved handling of TFO options

This commit improves handling of TCP fast open options
- Option length must be in [6, 18]
- Option length must be an even value
---
 src/decode-tcp.c | 7 ++-----
 src/decode-tcp.h | 2 +-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/decode-tcp.c b/src/decode-tcp.c
index c3f0ad240a..35f59ef2fe 100644
--- a/src/decode-tcp.c
+++ b/src/decode-tcp.c
@@ -154,11 +154,8 @@ static void DecodeTCPOptions(Packet *p, const uint8_t *pkt, uint16_t pktlen)
                     break;
                 case TCP_OPT_TFO:
                     SCLogDebug("TFO option, len %u", olen);
-                    if ((olen != 2) &&
-                           (olen < TCP_OPT_TFO_MIN_LEN ||
-                            olen > TCP_OPT_TFO_MAX_LEN ||
-                            !((olen - 2) % 8 == 0)))
-                    {
+                    if ((olen != 2) && (olen < TCP_OPT_TFO_MIN_LEN || olen > TCP_OPT_TFO_MAX_LEN ||
+                                               !(((olen - 2) & 0x1) == 0))) {
                         ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN);
                     } else {
                         if (p->tcpvars.tfo.type != 0) {
diff --git a/src/decode-tcp.h b/src/decode-tcp.h
index 025e872860..7bcae94342 100644
--- a/src/decode-tcp.h
+++ b/src/decode-tcp.h
@@ -62,7 +62,7 @@
 #define TCP_OPT_SACK_MIN_LEN                 10 /* hdr 2, 1 pair 8 = 10 */
 #define TCP_OPT_SACK_MAX_LEN                 34 /* hdr 2, 4 pair 32= 34 */
 #define TCP_OPT_TFO_MIN_LEN                  6  /* kind, len, 6 */
-#define TCP_OPT_TFO_MAX_LEN                  20 /* kind, len, 18 */
+#define TCP_OPT_TFO_MAX_LEN                  18 /* kind, len, 18 */
 
 /** Max valid wscale value. */
 #define TCP_WSCALE_MAX                       14