tcp options bug?

Koxaras Aris (koxaras@ceid.upatras.gr)
Wed, 23 Sep 1998 01:38:32 +0300 ( )

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Richard Gooch: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"
Previous message: Jukka Tapani Santala: "Re: Interesting scheduling times - NOT"
Next in thread: Chris Wedgwood: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"
Reply: Chris Wedgwood: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"

I think there's a (harmless) bug in net/ipv4/tcp_input.c, in
function tcp_options(). One can send "TCP_NOP,TCP_NOP,TCPOPT_MSS,4" as
TCP options, forcing the kernel to read 2 more bytes after the end of
the tcp packet options. This happens because tcp_options() does NOT check
if length <= opsize. It only checks if opsize<=2.

Greetings,
mastoras

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Richard Gooch: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"
Previous message: Jukka Tapani Santala: "Re: Interesting scheduling times - NOT"
Next in thread: Chris Wedgwood: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"
Reply: Chris Wedgwood: "Re: Today Linus redesigns the networking driver interface (was Re: tulip driver in ...)"