Actions
Bug #1076
closedTcp assembly sliding window left_edge could be unexpected value.
Affected Versions:
Effort:
Difficulty:
Label:
Description
In stream-tcp-reassemble.c, the function StreamTcpReassembleInlineRaw() has the following code:
/* determine the left edge and right edge */
uint32_t right_edge = TCP_GET_SEQ(p) + p->payload_len;
uint32_t left_edge = right_edge - chunk_size;
......
......
left_edge = (ra_base_seq + 1) - chunk_size;
In theory, (right_edge - chunk_size) could be less than zero. This will cause uint32_t left_edge to be an unexpected value.
Therefore, it will be necessary to compare right_edge and chunk_size before doing (right_edge - chunk_size).
Updated by Song Liu almost 11 years ago
I debugged it, and it's like SEG_GT and SEG_LEQ already convert unsigned integer to signed integer and handle this case and would not cause problem.
Actions