Merge pull request #491 from smoltcp-rs/fix-tcp-overflow

tcp: fix substract with overflow when receiving a SYNACK with unincremented ACK number.
2021-06-11 22:29:30 +02:00 · 2021-06-11 22:29:30 +02:00 · 158fdad8bf
parent 8bed6cd0b4 caad8929d5
commit 158fdad8bf
1 changed files with 42 additions and 4 deletions
--- a/src/socket/tcp.rs
+++ b/src/socket/tcp.rs
@ -1185,20 +1185,35 @@ impl<'a> TcpSocket<'a> {
                self.abort();
                return Err(Error::Dropped)
            }
+            // SYN|ACK in the SYN-SENT state must have the exact ACK number.
+            (State::SynSent, &TcpRepr {
+                control: TcpControl::Syn, ack_number: Some(ack_number), ..
+            }) => {
+                if ack_number != self.local_seq_no + 1 {
+                    net_debug!("{}:{}:{}: unacceptable SYN|ACK in response to initial SYN",
+                               self.meta.handle, self.local_endpoint, self.remote_endpoint);
+                    return Err(Error::Dropped)
+                }
+            }
            // Every acknowledgement must be for transmitted but unacknowledged data.
            (_, &TcpRepr { ack_number: Some(ack_number), .. }) => {
                let unacknowledged = self.tx_buffer.len() + control_len;
-                if ack_number < self.local_seq_no {
+
+                // Acceptable ACK range (both inclusive)
+                let ack_min = self.local_seq_no;
+                let ack_max = self.local_seq_no + unacknowledged;
+
+                if ack_number < ack_min {
                    net_debug!("{}:{}:{}: duplicate ACK ({} not in {}...{})",
                               self.meta.handle, self.local_endpoint, self.remote_endpoint,
-                               ack_number, self.local_seq_no, self.local_seq_no + unacknowledged);
+                               ack_number, ack_min, ack_max);
                    return Err(Error::Dropped)
                }

-                if ack_number > self.local_seq_no + unacknowledged {
+                if ack_number > ack_max {
                    net_debug!("{}:{}:{}: unacceptable ACK ({} not in {}...{})",
                               self.meta.handle, self.local_endpoint, self.remote_endpoint,
-                               ack_number, self.local_seq_no, self.local_seq_no + unacknowledged);
+                               ack_number, ack_min, ack_max);
                    return Ok(Some(self.ack_reply(ip_repr, &repr)))
                }
            }
@ -2736,6 +2751,29 @@ mod test {
        sanity!(s, socket_established());
    }

+    #[test]
+    fn test_syn_sent_syn_ack_not_incremented() {
+        let mut s = socket_syn_sent();
+        recv!(s, [TcpRepr {
+            control:    TcpControl::Syn,
+            seq_number: LOCAL_SEQ,
+            ack_number: None,
+            max_seg_size: Some(BASE_MSS),
+            window_scale: Some(0),
+            sack_permitted: true,
+            ..RECV_TEMPL
+        }]);
+        send!(s, TcpRepr {
+            control:    TcpControl::Syn,
+            seq_number: REMOTE_SEQ,
+            ack_number: Some(LOCAL_SEQ), // WRONG
+            max_seg_size: Some(BASE_MSS - 80),
+            window_scale: Some(0),
+            ..SEND_TEMPL
+        }, Err(Error::Dropped));
+        assert_eq!(s.state, State::SynSent);
+    }
+
    #[test]
    fn test_syn_sent_rst() {
        let mut s = socket_syn_sent();