Aren
/
haiku
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

I don't understand much about the code in question, but the ticket #6789 

hints at a possible problem: Within the process_options() function, the
code does not make sure that size is a multiple of the option length
(unless I missed something) and thus the loop could wrap the unsigned
size variable, and not exit as intended. Make size an ssize_t and cast
where appropriate, after making sure it's initially a positive value.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@39309 a95241bf-73f2-0310-859d-f6bbb57e9c96
This commit is contained in:
Stephan Aßmus 2010-11-05 17:39:15 +00:00
parent 09bd92c5c0
commit 21c8f94c7d
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/add-ons/kernel/network/protocols/tcp/tcp.cpp
View File

@ -170,9 +170,9 @@ add_options(tcp_segment_header &segment, uint8 *buffer, size_t bufferSize)
static void
process_options(tcp_segment_header &segment, net_buffer *buffer, size_t size)
process_options(tcp_segment_header &segment, net_buffer *buffer, ssize_t size)
{
if (size == 0)
if (size <= 0)
return;
tcp_option *option;
@ -180,7 +180,7 @@ process_options(tcp_segment_header &segment, net_buffer *buffer, size_t size)
uint8 optionsBuffer[kMaxOptionSize];
if (gBufferModule->direct_access(buffer, sizeof(tcp_header), size,
(void **)&option) != B_OK) {
if (size > sizeof(optionsBuffer)) {
if ((size_t)size > sizeof(optionsBuffer)) {
dprintf("Ignoring TCP options larger than expected.\n");
return;
}