diff options
| author | Michael Brown | 2012-06-30 20:02:36 +0200 |
|---|---|---|
| committer | Michael Brown | 2012-06-30 20:03:07 +0200 |
| commit | 55f52bb77a708ede94176c354fb5f27177fd5e99 (patch) | |
| tree | 9174ae11d439d0c718dec2f68ce4962ac67202db /src/net/tcp.c | |
| parent | [tcp] Use a zero window size for RST packets (diff) | |
| download | ipxe-55f52bb77a708ede94176c354fb5f27177fd5e99.tar.gz ipxe-55f52bb77a708ede94176c354fb5f27177fd5e99.tar.xz ipxe-55f52bb77a708ede94176c354fb5f27177fd5e99.zip | |
[tcp] Avoid potential NULL pointer dereference
Commit ea61075 ("[tcp] Add support for TCP window scaling") introduced
a potential NULL pointer dereference by referring to the connection's
send window scale before checking whether or not the connection is
known.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/net/tcp.c')
| -rw-r--r-- | src/net/tcp.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/net/tcp.c b/src/net/tcp.c index 3cd357fc..7a127260 100644 --- a/src/net/tcp.c +++ b/src/net/tcp.c @@ -1155,6 +1155,7 @@ static int tcp_rx ( struct io_buffer *iobuf, uint16_t csum; uint32_t seq; uint32_t ack; + uint16_t raw_win; uint32_t win; unsigned int flags; size_t len; @@ -1195,7 +1196,7 @@ static int tcp_rx ( struct io_buffer *iobuf, tcp = tcp_demux ( ntohs ( tcphdr->dest ) ); seq = ntohl ( tcphdr->seq ); ack = ntohl ( tcphdr->ack ); - win = ( ntohs ( tcphdr->win ) << tcp->snd_win_scale ); + raw_win = ntohs ( tcphdr->win ); flags = tcphdr->flags; tcp_rx_opts ( tcp, ( ( ( void * ) tcphdr ) + sizeof ( *tcphdr ) ), ( hlen - sizeof ( *tcphdr ) ), &options ); @@ -1226,6 +1227,7 @@ static int tcp_rx ( struct io_buffer *iobuf, /* Handle ACK, if present */ if ( flags & TCP_ACK ) { + win = ( raw_win << tcp->snd_win_scale ); if ( ( rc = tcp_rx_ack ( tcp, ack, win ) ) != 0 ) { tcp_xmit_reset ( tcp, st_src, tcphdr ); goto discard; |