sun purge

[unix-history] / usr / src / sys / netinet / tcp_input.c
diff --git a/usr/src/sys/netinet/tcp_input.c b/usr/src/sys/netinet/tcp_input.c

index eece52e..46d7b9d 100644 (file)
--- a/usr/src/sys/netinet/tcp_input.c
+++ b/usr/src/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*     tcp_input.c     1.90    83/03/27        */
+/*     tcp_input.c     1.95    83/06/14        */
  
  #include "../h/param.h"
  #include "../h/systm.h"
  
  #include "../h/param.h"
  #include "../h/systm.h"
@@ -77,6 +77,8 @@ tcp_input(m0)
                 ti->ti_len = (u_short)tlen;
                 ti->ti_len = htons((u_short)ti->ti_len);
                 if (ti->ti_sum = in_cksum(m, len)) {
                 ti->ti_len = (u_short)tlen;
                 ti->ti_len = htons((u_short)ti->ti_len);
                 if (ti->ti_sum = in_cksum(m, len)) {
+                       if (tcpprintfs)
+                               printf("tcp sum: src %x\n", ti->ti_src);
                         tcpstat.tcps_badsum++;
                         goto drop;
                 }
                         tcpstat.tcps_badsum++;
                         goto drop;
                 }
@@ -88,6 +90,8 @@ tcp_input(m0)
          */
         off = ti->ti_off << 2;
         if (off < sizeof (struct tcphdr) || off > tlen) {
          */
         off = ti->ti_off << 2;
         if (off < sizeof (struct tcphdr) || off > tlen) {
+               if (tcpprintfs)
+                       printf("tcp off: src %x off %d\n", ti->ti_src, off);
                 tcpstat.tcps_badoff++;
                 goto drop;
         }
                 tcpstat.tcps_badoff++;
                 goto drop;
         }
@@ -586,6 +590,18 @@ step6:
          */
         if ((tiflags & TH_URG) && ti->ti_urp &&
             TCPS_HAVERCVDFIN(tp->t_state) == 0) {
          */
         if ((tiflags & TH_URG) && ti->ti_urp &&
             TCPS_HAVERCVDFIN(tp->t_state) == 0) {
+               /*
+                * This is a kludge, but if we receive accept
+                * random urgent pointers, we'll crash in
+                * soreceive.  It's hard to imagine someone
+                * actually wanting to send this much urgent data.
+                */
+               if (ti->ti_urp > tp->t_maxseg) {        /* XXX */
+                       ti->ti_urp = 0;                 /* XXX */
+                       tiflags &= ~TH_URG;             /* XXX */
+                       ti->ti_flags &= ~TH_URG;        /* XXX */
+                       goto badurp;                    /* XXX */
+               }
                 /*
                  * If this segment advances the known urgent pointer,
                  * then mark the data stream.  This should not happen
                 /*
                  * If this segment advances the known urgent pointer,
                  * then mark the data stream.  This should not happen
@@ -611,6 +627,7 @@ step6:
                 if (ti->ti_urp <= ti->ti_len)
                         tcp_pulloutofband(so, ti);
         }
                 if (ti->ti_urp <= ti->ti_len)
                         tcp_pulloutofband(so, ti);
         }
+badurp:                                                        /* XXX */
  
         /*
          * Process the segment text, merging it into the TCP sequencing queue,
  
         /*
          * Process the segment text, merging it into the TCP sequencing queue,
@@ -704,8 +721,10 @@ dropafterack:
         return;
  
  dropwithreset:
         return;
  
  dropwithreset:
-       if (om)
+       if (om) {
                 (void) m_free(om);
                 (void) m_free(om);
+               om = 0;
+       }
         /*
          * Generate a RST, dropping incoming segment.
          * Make ACK acceptable to originator of segment.
         /*
          * Generate a RST, dropping incoming segment.
          * Make ACK acceptable to originator of segment.
@@ -755,8 +774,11 @@ tcp_dooptions(tp, om)
                         break;
                 if (opt == TCPOPT_NOP)
                         optlen = 1;
                         break;
                 if (opt == TCPOPT_NOP)
                         optlen = 1;
-               else
+               else {
                         optlen = cp[1];
                         optlen = cp[1];
+                       if (optlen <= 0)
+                               break;
+               }
                 switch (opt) {
  
                 default:
                 switch (opt) {
  
                 default: