I don't understand much about the code in question, but the ticket #6789
hints at a possible problem: Within the process_options() function, the code does not make sure that size is a multiple of the option length (unless I missed something) and thus the loop could wrap the unsigned size variable, and not exit as intended. Make size an ssize_t and cast where appropriate, after making sure it's initially a positive value. git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@39309 a95241bf-73f2-0310-859d-f6bbb57e9c96
This commit is contained in:
parent
09bd92c5c0
commit
21c8f94c7d
|
@ -170,9 +170,9 @@ add_options(tcp_segment_header &segment, uint8 *buffer, size_t bufferSize)
|
|||
|
||||
|
||||
static void
|
||||
process_options(tcp_segment_header &segment, net_buffer *buffer, size_t size)
|
||||
process_options(tcp_segment_header &segment, net_buffer *buffer, ssize_t size)
|
||||
{
|
||||
if (size == 0)
|
||||
if (size <= 0)
|
||||
return;
|
||||
|
||||
tcp_option *option;
|
||||
|
@ -180,7 +180,7 @@ process_options(tcp_segment_header &segment, net_buffer *buffer, size_t size)
|
|||
uint8 optionsBuffer[kMaxOptionSize];
|
||||
if (gBufferModule->direct_access(buffer, sizeof(tcp_header), size,
|
||||
(void **)&option) != B_OK) {
|
||||
if (size > sizeof(optionsBuffer)) {
|
||||
if ((size_t)size > sizeof(optionsBuffer)) {
|
||||
dprintf("Ignoring TCP options larger than expected.\n");
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue