[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #51447] Sequence number comparisons invoke implementat
From: |
Dirk Ziegelmeier |
Subject: |
[lwip-devel] [bug #51447] Sequence number comparisons invoke implementation-defined behavior |
Date: |
Thu, 31 Jan 2019 04:52:02 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 |
Follow-up Comment #14, bug #51447 (project lwip):
Response from Stian Skjelstad on mailinglist:
Looking at Hiromasa ITO numbers:
if (TCP_SEQ_BETWEEN(pcb->rcv_nxt, seqno + 1, seqno + tcplen - 1)) {
u32 u32 u32 u16
seqno + 1 : 0x13d897cb
seqno + tcplen - 1 : 0x13d897ca /* this is smaller than seqno + 1, so already
here, we see that this test should currently ALWAYS fail, when viewed with
human eyes. It should be impossible to fit a number within the given range*/
pcb->rcv_nxt : 0x93d897ca
TCP_SEQ_GEQ(0x93d897ca, 0x13d897cb) && TCP_SEQ_LEQ (0x93d897ca, 0x13d897ca)
/* signed compare*/ /* signed compare*/
(0x7FFFFFFF >= 0) && ( 0x80000000 <= 0)
(2147483647 >= 0) && (-2147483648 <= 0)
It looks like we should inspect tcplen before checking TCP_SEQ_BETWEEN.
Currently tcplen is checked for greater than zero, but it should be greater
than 1 for the current test to be valid (parameter 3 should be same size or
greater than 2)
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?51447>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/