From: Michael Brown <mcb30@ipxe.org>
Date: Sat, 30 Jun 2012 18:02:36 +0000 (+0100)
Subject: [tcp] Avoid potential NULL pointer dereference
X-Git-Tag: v1.20.1~1731
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55f52bb77a708ede94176c354fb5f27177fd5e99;p=thirdparty%2Fipxe.git

[tcp] Avoid potential NULL pointer dereference

Commit ea61075 ("[tcp] Add support for TCP window scaling") introduced
a potential NULL pointer dereference by referring to the connection's
send window scale before checking whether or not the connection is
known.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/net/tcp.c b/src/net/tcp.c
index 3cd357fca..7a1272605 100644
--- a/src/net/tcp.c
+++ b/src/net/tcp.c
@@ -1155,6 +1155,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
 	uint16_t csum;
 	uint32_t seq;
 	uint32_t ack;
+	uint16_t raw_win;
 	uint32_t win;
 	unsigned int flags;
 	size_t len;
@@ -1195,7 +1196,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
 	tcp = tcp_demux ( ntohs ( tcphdr->dest ) );
 	seq = ntohl ( tcphdr->seq );
 	ack = ntohl ( tcphdr->ack );
-	win = ( ntohs ( tcphdr->win ) << tcp->snd_win_scale );
+	raw_win = ntohs ( tcphdr->win );
 	flags = tcphdr->flags;
 	tcp_rx_opts ( tcp, ( ( ( void * ) tcphdr ) + sizeof ( *tcphdr ) ),
 		      ( hlen - sizeof ( *tcphdr ) ), &options );
@@ -1226,6 +1227,7 @@ static int tcp_rx ( struct io_buffer *iobuf,
 
 	/* Handle ACK, if present */
 	if ( flags & TCP_ACK ) {
+		win = ( raw_win << tcp->snd_win_scale );
 		if ( ( rc = tcp_rx_ack ( tcp, ack, win ) ) != 0 ) {
 			tcp_xmit_reset ( tcp, st_src, tcphdr );
 			goto discard;