[tcp] Avoid potential NULL pointer dereference

Commit ea61075 ("[tcp] Add support for TCP window scaling") introduced
a potential NULL pointer dereference by referring to the connection's
send window scale before checking whether or not the connection is
known.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/tcp.c b/src/net/tcp.c
index 3cd357fcae6853a2a7d0eed6f507e840b6686082..7a127260592636d6612a0b1ba2dc211dca54fb47 100644 (file)
--- a/src/net/tcp.c
+++ b/src/net/tcp.c
@@ -1155,6 +1155,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
        uint16_t csum;
        uint32_t seq;
        uint32_t ack;
+       uint16_t raw_win;
        uint32_t win;
        unsigned int flags;
        size_t len;
@@ -1195,7 +1196,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
        tcp = tcp_demux ( ntohs ( tcphdr->dest ) );
        seq = ntohl ( tcphdr->seq );
        ack = ntohl ( tcphdr->ack );
-       win = ( ntohs ( tcphdr->win ) << tcp->snd_win_scale );
+       raw_win = ntohs ( tcphdr->win );
        flags = tcphdr->flags;
        tcp_rx_opts ( tcp, ( ( ( void * ) tcphdr ) + sizeof ( *tcphdr ) ),
                      ( hlen - sizeof ( *tcphdr ) ), &options );
@@ -1226,6 +1227,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
 
        /* Handle ACK, if present */
        if ( flags & TCP_ACK ) {
+               win = ( raw_win << tcp->snd_win_scale );
                if ( ( rc = tcp_rx_ack ( tcp, ack, win ) ) != 0 ) {
                        tcp_xmit_reset ( tcp, st_src, tcphdr );
                        goto discard;