Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[tcp] Fix potential use-after-free when accessing timestamp option
Reported-by: Piotr Jaroszyński <p.jaroszynski@gmail.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Jul 7, 2010
1 parent 3cefc5a commit 68c2f07
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions src/net/tcp.c
Expand Up @@ -900,6 +900,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
uint32_t seq;
uint32_t ack;
uint32_t win;
uint32_t ts_recent;
unsigned int flags;
size_t len;
int rc;
Expand Down Expand Up @@ -941,6 +942,8 @@ static int tcp_rx ( struct io_buffer *iobuf,
flags = tcphdr->flags;
tcp_rx_opts ( tcp, ( ( ( void * ) tcphdr ) + sizeof ( *tcphdr ) ),
( hlen - sizeof ( *tcphdr ) ), &options );
ts_recent = ( options.tsopt ?
ntohl ( options.tsopt->tsval ) : tcp->ts_recent );
iob_pull ( iobuf, hlen );
len = iob_len ( iobuf );

Expand Down Expand Up @@ -981,7 +984,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
}

/* Handle new data, if any */
tcp_rx_data ( tcp, seq, iobuf );
tcp_rx_data ( tcp, seq, iob_disown ( iobuf ) );
seq += len;

/* Handle FIN, if present */
Expand All @@ -990,9 +993,9 @@ static int tcp_rx ( struct io_buffer *iobuf,
seq++;
}

/* Update timestamp, if present and applicable */
if ( ( seq == tcp->rcv_ack ) && options.tsopt )
tcp->ts_recent = ntohl ( options.tsopt->tsval );
/* Update timestamp, if applicable */
if ( seq == tcp->rcv_ack )
tcp->ts_recent = ts_recent;

/* Dump out any state change as a result of the received packet */
tcp_dump_state ( tcp );
Expand Down

0 comments on commit 68c2f07

Please sign in to comment.