From 9105bb46802c2d3e91e1fd16e0df22c534a7c441 Mon Sep 17 00:00:00 2001 From: Bruce Evans Date: Mon, 13 Jul 1998 11:53:59 +0000 Subject: [PATCH] Fixed overflow and sign extension bugs in `len = min(so->so_snd.sb_cc, win) - off;'. min() has type u_int and `off' has type int, so when min() is 0 and `off' is 1, the RHS overflows to 0U - 1 = UINT_MAX. `len' has type long, so when sizeof(long) == sizeof(int), the LHS normally overflows to to the correct value of -1, but when sizeof(long) > sizeof(int), the LHS is UINT_MAX. Fixed some u_long's that should have been fixed-sized types. --- sys/netinet/tcp_output.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 1f067a9c71b..a0ae43af0b4 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_output.c 8.4 (Berkeley) 5/24/95 - * $Id: tcp_output.c,v 1.29 1998/04/06 06:52:44 phk Exp $ + * $Id: tcp_output.c,v 1.30 1998/05/24 18:41:04 fenner Exp $ */ #include "opt_tcpdebug.h" @@ -148,7 +148,7 @@ again: } } - len = min(so->so_snd.sb_cc, win) - off; + len = (long)ulmin(so->so_snd.sb_cc, win) - off; if ((taop = tcp_gettaocache(tp->t_inpcb)) == NULL) { taop = &tao_noncached; @@ -334,7 +334,7 @@ send: if ((tp->t_flags & TF_REQ_SCALE) && ((flags & TH_ACK) == 0 || (tp->t_flags & TF_RCVD_SCALE))) { - *((u_long *) (opt + optlen)) = htonl( + *((u_int32_t *)(opt + optlen)) = htonl( TCPOPT_NOP << 24 | TCPOPT_WINDOW << 16 | TCPOLEN_WINDOW << 8 | @@ -353,7 +353,7 @@ send: (flags & TH_RST) == 0 && ((flags & TH_ACK) == 0 || (tp->t_flags & TF_RCVD_TSTMP))) { - u_long *lp = (u_long *)(opt + optlen); + u_int32_t *lp = (u_int32_t *)(opt + optlen); /* Form timestamp option as shown in appendix A of RFC 1323. */ *lp++ = htonl(TCPOPT_TSTAMP_HDR);