[DCCP]: Check against too large p
This patch follows a suggestion by Ian McDonald and ensures that in
the current code the value of p can not exceed 100%. Such a value is
illegal and would consequently cause a bug condition in tfrc_calc_x().
The receiver case is also tested, and a warning message is added.
Signed-off-by: Gerrit Renker <[EMAIL PROTECTED]>
---
net/dccp/ccids/ccid3.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -444,9 +444,9 @@ static void ccid3_hc_tx_packet_recv(stru
/* Update loss event rate */
pinv = opt_recv->ccid3or_loss_event_rate;
- if (pinv == ~0U || pinv == 0)
+ if (pinv == ~0U || pinv == 0) /* see RFC 4342, 8.5 */
hctx->ccid3hctx_p = 0;
- else
+ else /* can not exceed 100% */
hctx->ccid3hctx_p = 1000000 / pinv;
dccp_timestamp(sk, &now);
@@ -733,10 +733,15 @@ static void ccid3_hc_rx_send_feedback(st
/* Convert to multiples of 10us */
hcrx->ccid3hcrx_elapsed_time =
timeval_delta(&now, &packet->dccphrx_tstamp) / 10;
+
if (hcrx->ccid3hcrx_p == 0)
- hcrx->ccid3hcrx_pinv = ~0;
- else
+ hcrx->ccid3hcrx_pinv = ~0U; /* see RFC 4342, 8.5 */
+ else if (hcrx->ccid3hcrx_p > 1000000) {
+ DCCP_WARN("p (%u) > 100%%\n", hcrx->ccid3hcrx_p);
+ hcrx->ccid3hcrx_pinv = 1; /* use 100% in this case */
+ } else
hcrx->ccid3hcrx_pinv = 1000000 / hcrx->ccid3hcrx_p;
+
dp->dccps_hc_rx_insert_options = 1;
dccp_send_ack(sk);
}
-
To unsubscribe from this list: send the line "unsubscribe dccp" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
