Window Scale out-of-bounds Issue

[hunianhang]

Problem Description:

In the "rx_engine.cpp" file, the "parse_optional_header_fields" function uses a switch statement to parse TCP options. When case 3 handles the Window Scale option, the code extracts the Window Scale Factor (Shift Count) from the fields variable, writes it to windowScaleOut, and then sets the state to IDLE, indicating that parsing is complete.

• case 3 processes TCP Option Kind ID = 3 (Window Scale option).

• fields(19, 16) extracts the Window Scale Factor, but the original code lacks boundary checking, which may result in the Shift Count exceeding the TCP-defined range of 0~14.

• Since the Shift Count is represented by a 4-bit field, its valid range is 0~15, but the TCP specification only allows values 0~14, leading to a potential out-of-bounds issue.

• When the Window Scale value is out of range, the error "ERROR: Hi (30) out of bound (30) in range()" will be reported.

Bug Fix:

Add boundary checking when parsing the Shift Count to ensure its value always falls within the 0~14 range, preventing it from exceeding the defined limits in the TCP specification.