This is an automated email from the ASF dual-hosted git repository. xiaoxiang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit 1aceb1d872f0859943e8a69be3299fffb00c84f4 Author: Zhe Weng <[email protected]> AuthorDate: Tue Apr 18 17:46:56 2023 +0800 net/tcp: Fix clear condition in ofoseg input We have a case that an http server gives out-of-ordered ACKs, and NuttX client makes `ofoseg`s with length 0, trying to rebuild / put them into `ofosegs` array, which is not intended (no available data and should be skipped). This breaks later logic and finally crashed in `tcp_ofoseg_bufsize` (`ofosegs[i].data` is `NULL`, which should never happen in normal logic). Note: - `iob_trimhead` won't return `NULL` when it's applying on normal IOB. - Keep `dev->d_iob == NULL` to avoid `iob_trimhead` changed. - `iob_free_chain` will do nothing when applied to `NULL`. Signed-off-by: Zhe Weng <[email protected]> --- net/tcp/tcp_input.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/tcp/tcp_input.c b/net/tcp/tcp_input.c index 06d21a07c3..47bbb6950f 100644 --- a/net/tcp/tcp_input.c +++ b/net/tcp/tcp_input.c @@ -454,10 +454,11 @@ static void tcp_input_ofosegs(FAR struct net_driver_s *dev, /* Trim l3/l4 header to reserve appdata */ dev->d_iob = iob_trimhead(dev->d_iob, len); - if (dev->d_iob == NULL) + if (dev->d_iob == NULL || dev->d_iob->io_pktlen == 0) { /* No available data, clear device buffer */ + iob_free_chain(dev->d_iob); goto clear; }
