A bug in TCPAgent that leads to array overflow with bugfix_ts_ option

(Part of the NS-2 enhancement project)

David X. Wei

Netlab @ Caltech

Jun 2006

This bug may lead to array overflow with bugfix_ts_option (usually used in delay-based protocols such as Vegas).

The Fix

A patch can fix this problem. The patch is against NS-2.29. Some modification may be necessary for other versions of NS.

The problem

in tcp/tcp.cc, TcpAgent::output() function (Line 656 in version 2.29) has a problem in the following code:

//dynamically grow the timestamp array if it's getting full
if (bugfix_ts_ && window() > tss_size_* 0.9) {

This part of code grows the timestamp array when the window size is larger than the array size. However, this might not work with FACK. The correct array size should be larger than (t_seqno_-highest_ack_), which may be much larger than window() after a loss.

The fix in the patch replaces window() with (t_seqno_-highest_ack_).