mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2025-03-13 07:14:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed bug #48539 (possible crash when packet received in SYN_SENT state)

Browse Source
This commit is contained in:
sg 2016-07-19 21:23:21 +02:00
parent b06f14c11f
commit dff46e3816
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/core/tcp_in.c
View File

@ -751,7 +751,7 @@ tcp_process(struct tcp_pcb *pcb)
pcb->snd_nxt, ntohl(pcb->unacked->tcphdr->seqno)));
/* received SYN ACK with expected sequence number? */
if ((flags & TCP_ACK) && (flags & TCP_SYN)
&& ackno == ntohl(pcb->unacked->tcphdr->seqno) + 1) {
&& (ackno == pcb->lastack + 1)) {
pcb->snd_buf++;
pcb->rcv_nxt = seqno + 1;
pcb->rcv_ann_right_edge = pcb->rcv_nxt;
@ -776,7 +776,15 @@ tcp_process(struct tcp_pcb *pcb)
--pcb->snd_queuelen;
LWIP_DEBUGF(TCP_QLEN_DEBUG, ("tcp_process: SYN-SENT --queuelen %"TCPWNDSIZE_F"\n", (tcpwnd_size_t)pcb->snd_queuelen));
rseg = pcb->unacked;
pcb->unacked = rseg->next;
if (rseg == NULL) {
/* might happen if tcp_output fails in tcp_rexmit_rto()
in which case the segment is on the unsent list */
rseg = pcb->unsent;
LWIP_ASSERT("no segment to free", rseg != NULL);
pcb->unsent = rseg->next;
} else {
pcb->unacked = rseg->next;
}
tcp_seg_free(rseg);
/* If there's nothing left to acknowledge, stop the retransmit