sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2025-12-23 21:41:43 +03:00
Code Issues Packages Projects Releases Wiki Activity

[tcp] Avoid potential NULL pointer dereference

Browse Source 
Commit ea61075 ("[tcp] Add support for TCP window scaling") introduced
a potential NULL pointer dereference by referring to the connection's
send window scale before checking whether or not the connection is
known.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2012-06-30 19:02:36 +01:00
parent 49ac629821
commit 55f52bb77a
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/net/tcp.c
View File

@@ -1155,6 +1155,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
uint16_t csum; uint16_t csum;
uint32_t seq; uint32_t seq;
uint32_t ack; uint32_t ack;
uint16_t raw_win;
uint32_t win; uint32_t win;
unsigned int flags; unsigned int flags;
size_t len; size_t len;
@@ -1195,7 +1196,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
tcp = tcp_demux ( ntohs ( tcphdr->dest ) ); tcp = tcp_demux ( ntohs ( tcphdr->dest ) );
seq = ntohl ( tcphdr->seq ); seq = ntohl ( tcphdr->seq );
ack = ntohl ( tcphdr->ack ); ack = ntohl ( tcphdr->ack );
win = ( ntohs ( tcphdr->win ) << tcp->snd_win_scale ); raw_win = ntohs ( tcphdr->win );
flags = tcphdr->flags; flags = tcphdr->flags;
tcp_rx_opts ( tcp, ( ( ( void * ) tcphdr ) + sizeof ( *tcphdr ) ), tcp_rx_opts ( tcp, ( ( ( void * ) tcphdr ) + sizeof ( *tcphdr ) ),
( hlen - sizeof ( *tcphdr ) ), &options ); ( hlen - sizeof ( *tcphdr ) ), &options );
@@ -1226,6 +1227,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
/* Handle ACK, if present */ /* Handle ACK, if present */
if ( flags & TCP_ACK ) { if ( flags & TCP_ACK ) {
win = ( raw_win << tcp->snd_win_scale );
if ( ( rc = tcp_rx_ack ( tcp, ack, win ) ) != 0 ) { if ( ( rc = tcp_rx_ack ( tcp, ack, win ) ) != 0 ) {
tcp_xmit_reset ( tcp, st_src, tcphdr ); tcp_xmit_reset ( tcp, st_src, tcphdr );
goto discard; goto discard;