dcsctp: Enforce variable length TLV minimum length

The length field was validated to not be too big, or to have too much
padding, but it could be smaller than the fixed size of the chunk, which
isn't correct. Now it's enforced to be at minimum the size of the fixed
size header.

Bug: webrtc:12614
Change-Id: I57089a5ba2854eeb63ab3b4e28cf5878087d06e8
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/214484
Reviewed-by: Tommi <tommi@webrtc.org>
Commit-Queue: Victor Boivie <boivie@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#33659}

net/dcsctp/packet/tlv_trait.h

@@ -105,7 +105,7 @@ class TLVTrait {
       }
     } else {
       // Expect variable length data - verify its size alignment.
-      if (length > data.size()) {
+      if (length > data.size() || length < Config::kHeaderSize) {
         tlv_trait_impl::ReportInvalidVariableLengthField(length, data.size());
         return absl::nullopt;
       }

net/dcsctp/packet/tlv_trait_test.cc

@@ -77,7 +77,7 @@ struct TwoByteTypeConfig {
   static constexpr int kTypeSizeInBytes = 2;
   static constexpr int kType = 31337;
   static constexpr size_t kHeaderSize = 8;
-  static constexpr int kVariableLengthAlignment = 4;
+  static constexpr int kVariableLengthAlignment = 2;
 };
 
 class TwoByteChunk : public TLVTrait<TwoByteTypeConfig> {
@@ -122,5 +122,12 @@ TEST(TlvDataTest, CanReadTwoByteTypeTlvs) {
               ElementsAre(0x05, 0x06, 0x07, 0x08, 0xDE, 0xAD, 0xBE, 0xEF));
 }
 
+TEST(TlvDataTest, CanHandleInvalidLengthSmallerThanFixedSize) {
+  // Has 'length=6', which is below the kHeaderSize of 8.
+  uint8_t data[] = {0x7A, 0x69, 0x00, 0x06, 0x01, 0x02, 0x03, 0x04};
+
+  EXPECT_FALSE(TwoByteChunk::Parse(data).has_value());
+}
+
 }  // namespace
 }  // namespace dcsctp