This vulnerability was analyzed during Episode 196 on 14 March 2023
A straightforward integer underflow issue in OpenBSD TCP/IP socket’s sockopt handling. While ip_dooptions() and the IPOPT_SSRR option handler will check the user-provided optlen isn’t too large, it won’t check if it’s too small. When the IPOPT_SSRR handler code invokes save_rte(), it’ll calculate the isr->isr_nhops using the (optlen - IPOPT_OFFSET - 1) / sizeof(in_addr). A value such as optlen=2 will cause this to underflow and set isr_nhops to 0xFFFFFFFF.
This becomes critical when this field is used in a later function (ip_srcroute()) to iterate the source records, where it’ll go out-of-bounds on the isr_routes field.