From: Young Xiao <92siuy...@gmail.com>
Date: Wed, 29 May 2019 16:10:59 +0800
> The TCP option parsing routines in tcp_parse_options function could
> read one byte out of the buffer of the TCP options.
>
> 1 while (length > 0) {
> 2 int opcode = *ptr++;
> 3
On Wed, May 29, 2019 at 8:11 AM Yang Xiao <92siuy...@gmail.com> wrote:
>
> Indeed, condition opsize < 2 and opsize > length can deduce that length >= 2.
> However, before the condition (if opsize < 2), there may be one-byte
> out-of-bound access in line 12.
> I'm not sure whether I have put it
Indeed, condition opsize < 2 and opsize > length can deduce that length >= 2.
However, before the condition (if opsize < 2), there may be one-byte
out-of-bound access in line 12.
I'm not sure whether I have put it very clearly.
On Wed, May 29, 2019 at 10:20 PM Eric Dumazet wrote:
>
> On Wed, May
On Wed, May 29, 2019 at 1:10 AM Young Xiao <92siuy...@gmail.com> wrote:
>
> The TCP option parsing routines in tcp_parse_options function could
> read one byte out of the buffer of the TCP options.
>
> 1 while (length > 0) {
> 2 int opcode = *ptr++;
> 3 int
The TCP option parsing routines in tcp_parse_options function could
read one byte out of the buffer of the TCP options.
1 while (length > 0) {
2 int opcode = *ptr++;
3 int opsize;
4
5 switch (opcode) {
6 case TCPOPT_EOL:
7
5 matches
Mail list logo