tcp_recved: fix overflow check

Improved fix instead of patch #9699.

Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
This commit is contained in:
Simon Goldschmidt 2018-11-12 20:55:23 +01:00
parent 1940cae827
commit 98d1cb1c00

View File

@ -968,6 +968,7 @@ void
tcp_recved(struct tcp_pcb *pcb, u16_t len)
{
u32_t wnd_inflation;
tcpwnd_size_t rcv_wnd;
LWIP_ASSERT_CORE_LOCKED();
@ -977,19 +978,13 @@ tcp_recved(struct tcp_pcb *pcb, u16_t len)
LWIP_ASSERT("don't call tcp_recved for listen-pcbs",
pcb->state != LISTEN);
pcb->rcv_wnd = (tcpwnd_size_t)(pcb->rcv_wnd + len);
if (pcb->rcv_wnd > TCP_WND_MAX(pcb)) {
rcv_wnd = (tcpwnd_size_t)(pcb->rcv_wnd + len);
if ((rcv_wnd > TCP_WND_MAX(pcb)) || (rcv_wnd < pcb->rcv_wnd)) {
/* window got too big or tcpwnd_size_t overflow */
LWIP_DEBUGF(TCP_DEBUG, ("tcp_recved: window got too big or tcpwnd_size_t overflow\n"));
pcb->rcv_wnd = TCP_WND_MAX(pcb);
} else if (pcb->rcv_wnd == 0) {
/* rcv_wnd overflowed */
if (TCP_STATE_IS_CLOSING(pcb->state)) {
/* In passive close, we allow this, since the FIN bit is added to rcv_wnd
by the stack itself, since it is not mandatory for an application
to call tcp_recved() for the FIN bit, but e.g. the netconn API does so. */
pcb->rcv_wnd = TCP_WND_MAX(pcb);
} else {
LWIP_ASSERT("tcp_recved: len wrapped rcv_wnd\n", 0);
}
} else {
pcb->rcv_wnd = rcv_wnd;
}
wnd_inflation = tcp_update_rcv_ann_wnd(pcb);