mirror of
https://github.com/lwip-tcpip/lwip.git
synced 2024-12-25 18:14:53 +00:00
tcp_recved: fix overflow check
Improved fix instead of patch #9699.
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
(cherry picked from commit 98d1cb1c00
)
This commit is contained in:
parent
18b91b2841
commit
1a10a942f2
@ -971,6 +971,7 @@ void
|
||||
tcp_recved(struct tcp_pcb *pcb, u16_t len)
|
||||
{
|
||||
u32_t wnd_inflation;
|
||||
tcpwnd_size_t rcv_wnd;
|
||||
|
||||
LWIP_ASSERT_CORE_LOCKED();
|
||||
|
||||
@ -980,19 +981,13 @@ tcp_recved(struct tcp_pcb *pcb, u16_t len)
|
||||
LWIP_ASSERT("don't call tcp_recved for listen-pcbs",
|
||||
pcb->state != LISTEN);
|
||||
|
||||
pcb->rcv_wnd = (tcpwnd_size_t)(pcb->rcv_wnd + len);
|
||||
if (pcb->rcv_wnd > TCP_WND_MAX(pcb)) {
|
||||
rcv_wnd = (tcpwnd_size_t)(pcb->rcv_wnd + len);
|
||||
if ((rcv_wnd > TCP_WND_MAX(pcb)) || (rcv_wnd < pcb->rcv_wnd)) {
|
||||
/* window got too big or tcpwnd_size_t overflow */
|
||||
LWIP_DEBUGF(TCP_DEBUG, ("tcp_recved: window got too big or tcpwnd_size_t overflow\n"));
|
||||
pcb->rcv_wnd = TCP_WND_MAX(pcb);
|
||||
} else if (pcb->rcv_wnd == 0) {
|
||||
/* rcv_wnd overflowed */
|
||||
if (TCP_STATE_IS_CLOSING(pcb->state)) {
|
||||
/* In passive close, we allow this, since the FIN bit is added to rcv_wnd
|
||||
by the stack itself, since it is not mandatory for an application
|
||||
to call tcp_recved() for the FIN bit, but e.g. the netconn API does so. */
|
||||
pcb->rcv_wnd = TCP_WND_MAX(pcb);
|
||||
} else {
|
||||
LWIP_ASSERT("tcp_recved: len wrapped rcv_wnd\n", 0);
|
||||
}
|
||||
} else {
|
||||
pcb->rcv_wnd = rcv_wnd;
|
||||
}
|
||||
|
||||
wnd_inflation = tcp_update_rcv_ann_wnd(pcb);
|
||||
|
Loading…
Reference in New Issue
Block a user