Date: Fri, 23 May 2025 15:54:06 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 281938] Make sure max_len is not 0 before using it as modulo Message-ID: <bug-281938-7501-FzVbnGqQUs@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-281938-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-281938-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D281938 --- Comment #7 from Michael Tuexen <tuexen@freebsd.org> --- (In reply to nakayamakenjiro from comment #0) If we are in the code path you mention, we are in the body of if (len + optlen + ipoptlen > tp->t_maxseg) { flags &=3D ~TH_FIN; if (tso) { /* somewhere here */ } } tso is set by if ((tp->t_flags & TF_TSO) && V_tcp_do_tso && len > tp->t_maxseg && (tp->t_port =3D=3D 0) && ((tp->t_flags & TF_SIGNATURE) =3D=3D 0) && (!sack_rxmit || V_tcp_sack_tso) && (ipoptlen =3D=3D 0 || (ipoptlen =3D=3D ipsec_optlen && (tp->t_flags2 & TF2_IPSEC_TSO) !=3D 0)) && !(flags & TH_SYN)) tso =3D 1; This means that ipoptlen =3D=3D ipsec_optlen in all cases (if ipoptlen =3D= =3D 0, then also ipsec_optlen =3D=3D 0). Therefore tp->t_maxseg >=3D len + optlen + ipo= ptlen holds due to the check in the if condition and finally tp->t_maxseg >=3D le= n + optlen + ipsec_optlen holds, since ipoptlen =3D=3D ipsec_optlen. Therefore max_len =3D tp->t_maxseg - optlen - ipsec_optlen is positive. --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-281938-7501-FzVbnGqQUs>