sergiotarxz/nuttx
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

net/tcp: Fix clear condition in ofoseg input

Browse Source 
We have a case that an http server gives out-of-ordered ACKs, and NuttX client makes `ofoseg`s with length 0, trying to rebuild / put them into `ofosegs` array, which is not intended (no available data and should be skipped). This breaks later logic and finally crashed in `tcp_ofoseg_bufsize` (`ofosegs[i].data` is `NULL`, which should never happen in normal logic).

Note:
- `iob_trimhead` won't return `NULL` when it's applying on normal IOB.
  - Keep `dev->d_iob == NULL` to avoid `iob_trimhead` changed.
- `iob_free_chain` will do nothing when applied to `NULL`.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
This commit is contained in:
Zhe Weng 2023-04-18 17:46:56 +08:00 committed by Xiang Xiao
parent 6c73221dd4
commit 1aceb1d872
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
net/tcp/tcp_input.c
View File

@ -454,10 +454,11 @@ static void tcp_input_ofosegs(FAR struct net_driver_s *dev,
/* Trim l3/l4 header to reserve appdata */
dev->d_iob = iob_trimhead(dev->d_iob, len);
if (dev->d_iob == NULL)
if (dev->d_iob == NULL || dev->d_iob->io_pktlen == 0)
{
/* No available data, clear device buffer */
iob_free_chain(dev->d_iob);
goto clear;
}