lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #51447] Sequence number comparisons invoke implementat


From: Dirk Ziegelmeier
Subject: [lwip-devel] [bug #51447] Sequence number comparisons invoke implementation-defined behavior
Date: Thu, 31 Jan 2019 04:52:02 -0500 (EST)
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0

Follow-up Comment #14, bug #51447 (project lwip):

Response from Stian Skjelstad on mailinglist:

Looking at Hiromasa ITO numbers:

if (TCP_SEQ_BETWEEN(pcb->rcv_nxt, seqno + 1, seqno + tcplen - 1)) {
                      u32         u32         u32       u16

seqno + 1          : 0x13d897cb
seqno + tcplen - 1 : 0x13d897ca /* this is smaller than seqno + 1, so already
here, we see that this test should currently ALWAYS fail, when viewed with
human eyes. It should be impossible to fit a number within the given range*/
pcb->rcv_nxt       : 0x93d897ca

TCP_SEQ_GEQ(0x93d897ca, 0x13d897cb) && TCP_SEQ_LEQ (0x93d897ca, 0x13d897ca)

/* signed compare*/      /* signed compare*/
  (0x7FFFFFFF >= 0)   && ( 0x80000000 <= 0)
  (2147483647 >= 0)   && (-2147483648 <= 0)


It looks like we should inspect tcplen before checking TCP_SEQ_BETWEEN.
Currently tcplen is checked for greater than zero, but it should be greater
than 1 for the current test to be valid (parameter 3 should be same size or
greater than 2)

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?51447>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]