mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-12-26 12:13:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

tcp_recved: fix overflow check

Browse Source 
Improved fix instead of patch #9699.

Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
This commit is contained in:
Simon Goldschmidt 2018-11-12 20:55:23 +01:00
parent 1940cae827
commit 98d1cb1c00
1 changed files with 7 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/core/tcp.c
View File

@ -968,6 +968,7 @@ void
tcp_recved(struct tcp_pcb *pcb, u16_t len) tcp_recved(struct tcp_pcb *pcb, u16_t len)
{ {
u32_t wnd_inflation; u32_t wnd_inflation;
tcpwnd_size_t rcv_wnd;
LWIP_ASSERT_CORE_LOCKED(); LWIP_ASSERT_CORE_LOCKED();
@ -977,19 +978,13 @@ tcp_recved(struct tcp_pcb *pcb, u16_t len)
LWIP_ASSERT("don't call tcp_recved for listen-pcbs", LWIP_ASSERT("don't call tcp_recved for listen-pcbs",
pcb->state != LISTEN); pcb->state != LISTEN);
pcb->rcv_wnd = (tcpwnd_size_t)(pcb->rcv_wnd + len); rcv_wnd = (tcpwnd_size_t)(pcb->rcv_wnd + len);
if (pcb->rcv_wnd > TCP_WND_MAX(pcb)) { if ((rcv_wnd > TCP_WND_MAX(pcb)) || (rcv_wnd < pcb->rcv_wnd)) {
pcb->rcv_wnd = TCP_WND_MAX(pcb); /* window got too big or tcpwnd_size_t overflow */
} else if (pcb->rcv_wnd == 0) { LWIP_DEBUGF(TCP_DEBUG, ("tcp_recved: window got too big or tcpwnd_size_t overflow\n"));
/* rcv_wnd overflowed */
if (TCP_STATE_IS_CLOSING(pcb->state)) {
/* In passive close, we allow this, since the FIN bit is added to rcv_wnd
by the stack itself, since it is not mandatory for an application
to call tcp_recved() for the FIN bit, but e.g. the netconn API does so. */
pcb->rcv_wnd = TCP_WND_MAX(pcb); pcb->rcv_wnd = TCP_WND_MAX(pcb);
} else { } else {
LWIP_ASSERT("tcp_recved: len wrapped rcv_wnd\n", 0); pcb->rcv_wnd = rcv_wnd;
}
} }
wnd_inflation = tcp_update_rcv_ann_wnd(pcb); wnd_inflation = tcp_update_rcv_ann_wnd(pcb);