Date: Fri, 23 May 2025 15:54:06 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 281938] Make sure max_len is not 0 before using it as modulo Message-ID: <bug-281938-7501-FzVbnGqQUs@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-281938-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-281938-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281938 --- Comment #7 from Michael Tuexen <tuexen@freebsd.org> --- (In reply to nakayamakenjiro from comment #0) If we are in the code path you mention, we are in the body of if (len + optlen + ipoptlen > tp->t_maxseg) { flags &= ~TH_FIN; if (tso) { /* somewhere here */ } } tso is set by if ((tp->t_flags & TF_TSO) && V_tcp_do_tso && len > tp->t_maxseg && (tp->t_port == 0) && ((tp->t_flags & TF_SIGNATURE) == 0) && (!sack_rxmit || V_tcp_sack_tso) && (ipoptlen == 0 || (ipoptlen == ipsec_optlen && (tp->t_flags2 & TF2_IPSEC_TSO) != 0)) && !(flags & TH_SYN)) tso = 1; This means that ipoptlen == ipsec_optlen in all cases (if ipoptlen == 0, then also ipsec_optlen == 0). Therefore tp->t_maxseg >= len + optlen + ipoptlen holds due to the check in the if condition and finally tp->t_maxseg >= len + optlen + ipsec_optlen holds, since ipoptlen == ipsec_optlen. Therefore max_len = tp->t_maxseg - optlen - ipsec_optlen is positive. -- You are receiving this mail because: You are on the CC list for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-281938-7501-FzVbnGqQUs>