diff options
author | bde <bde@FreeBSD.org> | 1998-07-13 11:53:59 +0000 |
---|---|---|
committer | bde <bde@FreeBSD.org> | 1998-07-13 11:53:59 +0000 |
commit | d16ff5c40096a2af9f99118e0c672aba53e77fcd (patch) | |
tree | e20ea2ed11cfbe06db0b371b1038a4edc5da1bef /sys/netinet/tcp_output.c | |
parent | b384a06abb90f7bb9d5b255c124ec54539f2da85 (diff) | |
download | FreeBSD-src-d16ff5c40096a2af9f99118e0c672aba53e77fcd.zip FreeBSD-src-d16ff5c40096a2af9f99118e0c672aba53e77fcd.tar.gz |
Fixed overflow and sign extension bugs in
`len = min(so->so_snd.sb_cc, win) - off;'. min() has type u_int
and `off' has type int, so when min() is 0 and `off' is 1, the RHS
overflows to 0U - 1 = UINT_MAX. `len' has type long, so when
sizeof(long) == sizeof(int), the LHS normally overflows to to the
correct value of -1, but when sizeof(long) > sizeof(int), the LHS
is UINT_MAX.
Fixed some u_long's that should have been fixed-sized types.
Diffstat (limited to 'sys/netinet/tcp_output.c')
-rw-r--r-- | sys/netinet/tcp_output.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 1f067a9..a0ae43a 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_output.c 8.4 (Berkeley) 5/24/95 - * $Id: tcp_output.c,v 1.29 1998/04/06 06:52:44 phk Exp $ + * $Id: tcp_output.c,v 1.30 1998/05/24 18:41:04 fenner Exp $ */ #include "opt_tcpdebug.h" @@ -148,7 +148,7 @@ again: } } - len = min(so->so_snd.sb_cc, win) - off; + len = (long)ulmin(so->so_snd.sb_cc, win) - off; if ((taop = tcp_gettaocache(tp->t_inpcb)) == NULL) { taop = &tao_noncached; @@ -334,7 +334,7 @@ send: if ((tp->t_flags & TF_REQ_SCALE) && ((flags & TH_ACK) == 0 || (tp->t_flags & TF_RCVD_SCALE))) { - *((u_long *) (opt + optlen)) = htonl( + *((u_int32_t *)(opt + optlen)) = htonl( TCPOPT_NOP << 24 | TCPOPT_WINDOW << 16 | TCPOLEN_WINDOW << 8 | @@ -353,7 +353,7 @@ send: (flags & TH_RST) == 0 && ((flags & TH_ACK) == 0 || (tp->t_flags & TF_RCVD_TSTMP))) { - u_long *lp = (u_long *)(opt + optlen); + u_int32_t *lp = (u_int32_t *)(opt + optlen); /* Form timestamp option as shown in appendix A of RFC 1323. */ *lp++ = htonl(TCPOPT_TSTAMP_HDR); |