net/tcp: Fix clear condition in ofoseg input

We have a case that an http server gives out-of-ordered ACKs, and NuttX client makes `ofoseg`s with length 0, trying to rebuild / put them into `ofosegs` array, which is not intended (no available data and should be skipped). This breaks later logic and finally crashed in `tcp_ofoseg_bufsize` (`ofosegs[i].data` is `NULL`, which should never happen in normal logic). Note: - `iob_trimhead` won't return `NULL` when it's applying on normal IOB. - Keep `dev->d_iob == NULL` to avoid `iob_trimhead` changed. - `iob_free_chain` will do nothing when applied to `NULL`. Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
apache · Apr 20, 2023 · f076790 · f076790
1 parent c00498c
commit f076790
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/net/tcp/tcp_input.c b/net/tcp/tcp_input.c
@@ -454,10 +454,11 @@ static void tcp_input_ofosegs(FAR struct net_driver_s *dev,
   /* Trim l3/l4 header to reserve appdata */
 
   dev->d_iob = iob_trimhead(dev->d_iob, len);
-  if (dev->d_iob == NULL)
+  if (dev->d_iob == NULL || dev->d_iob->io_pktlen == 0)
     {
       /* No available data, clear device buffer */
 
+      iob_free_chain(dev->d_iob);
       goto clear;
     }