Project

General

Profile

Actions
Copy link

Bug #1076

closed
SL SL

Tcp assembly sliding window left_edge could be unexpected value.

Bug #1076: Tcp assembly sliding window left_edge could be unexpected value.

Added by Song Liu over 12 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Song Liu
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

In stream-tcp-reassemble.c, the function StreamTcpReassembleInlineRaw() has the following code:

/* determine the left edge and right edge */
uint32_t right_edge = TCP_GET_SEQ(p) + p->payload_len;
uint32_t left_edge = right_edge - chunk_size;
......
......
left_edge = (ra_base_seq + 1) - chunk_size;

In theory, (right_edge - chunk_size) could be less than zero. This will cause uint32_t left_edge to be an unexpected value.

Therefore, it will be necessary to compare right_edge and chunk_size before doing (right_edge - chunk_size).

SL Updated by Song Liu over 12 years ago Actions
Copy link
 #1

I debugged it, and it's like SEG_GT and SEG_LEQ already convert unsigned integer to signed integer and handle this case and would not cause problem.

SL Updated by Song Liu about 12 years ago Actions
Copy link
 #2

  • Status changed from New to Closed

VJ Updated by Victor Julien about 12 years ago Actions
Copy link
 #3

  • Target version deleted (1.4.8)
Actions
Copy link

Also available in: PDF Atom