fixed bug #22249: division by zero could occur if a remote host sent a zero mss as TCP option.

CHANGELOG

@@ -22,6 +22,10 @@ HISTORY
 
   ++ Bugfixes:
 
+  2008-03-26 Simon Goldschmidt
+  * tcp_in.c, tcp.c: fixed bug #22249: division by zero could occur if a remote
+    host sent a zero mss as TCP option.
+
 
 (STABLE-1.3.0)
 

src/core/tcp.c

@@ -509,7 +509,8 @@ tcp_connect(struct tcp_pcb *pcb, struct ip_addr *ipaddr, u16_t port,
   pcb->rcv_wnd = TCP_WND;
   pcb->rcv_ann_wnd = TCP_WND;
   pcb->snd_wnd = TCP_WND;
-  /* The send MSS is updated when an MSS option is received. */
+  /* As initial send MSS, we use TCP_MSS but limit it to 536.
+     The send MSS is updated when an MSS option is received. */
   pcb->mss = (TCP_MSS > 536) ? 536 : TCP_MSS;
 #if TCP_CALCULATE_EFF_SEND_MSS
   pcb->mss = tcp_eff_send_mss(pcb->mss, ipaddr);
@@ -991,7 +992,8 @@ tcp_alloc(u8_t prio)
     pcb->rcv_ann_wnd = TCP_WND;
     pcb->tos = 0;
     pcb->ttl = TCP_TTL;
-    /* The send MSS is updated when an MSS option is received. */
+    /* As initial send MSS, we use TCP_MSS but limit it to 536.
+       The send MSS is updated when an MSS option is received. */
     pcb->mss = (TCP_MSS > 536) ? 536 : TCP_MSS;
     pcb->rto = 3000 / TCP_SLOW_INTERVAL;
     pcb->sa = 0;

src/core/tcp_in.c

@@ -1331,7 +1331,8 @@ tcp_parseopt(struct tcp_pcb *pcb)
         opts[c + 1] == 0x04) {
         /* An MSS option with the right option length. */
         mss = (opts[c + 2] << 8) | opts[c + 3];
-        pcb->mss = mss > TCP_MSS? TCP_MSS: mss;
+        /* Limit the mss to the configured TCP_MSS and prevent division by zero */
+        pcb->mss = ((mss > TCP_MSS) || (mss == 0)) ? TCP_MSS : mss;
 
         /* And we are done processing options. */
         break;