Commit ea61075 ("[tcp] Add support for TCP window scaling") introduced a potential NULL pointer dereference by referring to the connection's send window scale before checking whether or not the connection is known. Signed-off-by: Michael Brown <mcb30@ipxe.org>

12 years ago · 55f52bb77a
--- a/src/net/tcp.c
+++ b/src/net/tcp.c
 
															
															 	uint16_t csum;
														
 
															
															 	uint32_t seq;
														
 
															
															 	uint32_t ack;
														
 
															
															+	uint16_t raw_win;
														
 
															
															 	uint32_t win;
														
 
															
															 	unsigned int flags;
														
 
															
															 	size_t len;
														
 
															
															 	tcp = tcp_demux ( ntohs ( tcphdr->dest ) );
														
 
															
															 	seq = ntohl ( tcphdr->seq );
														
 
															
															 	ack = ntohl ( tcphdr->ack );
														
 
															
															-	win = ( ntohs ( tcphdr->win ) << tcp->snd_win_scale );
														
 
															
															+	raw_win = ntohs ( tcphdr->win );
														
 
															
															 	flags = tcphdr->flags;
														
 
															
															 	tcp_rx_opts ( tcp, ( ( ( void * ) tcphdr ) + sizeof ( *tcphdr ) ),
														
 
															
															 		      ( hlen - sizeof ( *tcphdr ) ), &options );
														
 
															
															 	/* Handle ACK, if present */
														
 
															
															 	if ( flags & TCP_ACK ) {
														
 
															
															+		win = ( raw_win << tcp->snd_win_scale );
														
 
															
															 		if ( ( rc = tcp_rx_ack ( tcp, ack, win ) ) != 0 ) {
														
 
															
															 			tcp_xmit_reset ( tcp, st_src, tcphdr );
														
 
															
															 			goto discard;