| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Aug 2008 18:40:04 +0100
From: Ben Hutchings <bhutchings@...arflare.com>
To: Nicolas Bareil <nico@...ir.org>
Cc: netdev@...r.kernel.org
Subject: Re: [BUG] before() integer overflow
Nicolas Bareil wrote:
>
> Hello!
>
>
> In include/net/tcp.h, the before() function is defined like this :
>
> 241 /*
> 242 * The next routines deal with comparing 32 bit unsigned ints
> 243 * and worry about wraparound (automatic with unsigned arithmetic).
> 244 */
> 245
> 246 static inline int before(__u32 seq1, __u32 seq2)
> 247 {
> 248 return (__s32)(seq1-seq2) < 0;
> 249 }
> 250 #define after(seq2, seq1) before(seq1, seq2)
>
>
> If seq1 = 0xffffff and seq2 = 0 (so seq1 > seq2), the difference is
> equal to 0xffffff, or -1 as a 32 bits signed number.
>
> => before() will return true instead of false.
[...]
That's exactly what we want. The initial sequence number is random (and
TCP streams are not limited to 4GB) so the sequence can wrap around. 0
follows 0xffffffff. If we were to compare sequence numbers from two
packets more than 2GB apart in the stream, this comparison would give
the wrong answer, but currently this is not likely to be a problem.
Ben.
--
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists