Re: [BUG] before() integer overflow

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Ben Hutchings <bhutchings@solarflare.com>
To: Nicolas Bareil <nico@chdir.org>
Cc: netdev@vger.kernel.org
Subject: Re: [BUG] before() integer overflow
Date: Tue, 5 Aug 2008 18:40:04 +0100	[thread overview]
Message-ID: <20080805174003.GA10471@solarflare.com> (raw)
In-Reply-To: <87y73bqt0p.fsf@chdir.org>

Nicolas Bareil wrote:
> 
> Hello!
> 
> 
> In include/net/tcp.h, the before() function is defined like this :
> 
>  241 /*
>  242  * The next routines deal with comparing 32 bit unsigned ints
>  243  * and worry about wraparound (automatic with unsigned arithmetic).
>  244  */
>  245 
>  246 static inline int before(__u32 seq1, __u32 seq2)
>  247 {
>  248         return (__s32)(seq1-seq2) < 0;
>  249 }
>  250 #define after(seq2, seq1)   before(seq1, seq2)
> 
> 
> If seq1 = 0xffffff and seq2 = 0 (so seq1 > seq2), the difference is
> equal to 0xffffff, or -1 as a 32 bits signed number.
> 
>  => before() will return true instead of false.
[...]

That's exactly what we want.  The initial sequence number is random (and
TCP streams are not limited to 4GB) so the sequence can wrap around.  0
follows 0xffffffff.  If we were to compare sequence numbers from two
packets more than 2GB apart in the stream, this comparison would give
the wrong answer, but currently this is not likely to be a problem.

Ben.

-- 
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.

next prev parent reply	other threads:[~2008-08-05 17:40 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-08-05 17:19 [BUG] before() integer overflow Nicolas Bareil
2008-08-05 17:40 ` Ben Hutchings [this message]
2008-08-05 17:51 ` David Stevens
2008-08-05 18:24   ` Nicolas Bareil

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080805174003.GA10471@solarflare.com \
    --to=bhutchings@solarflare.com \
    --cc=netdev@vger.kernel.org \
    --cc=nico@chdir.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).