[incubator-nuttx] branch master updated: tcp: check option length before d_len update

[pk...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

pkarashchenko pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git


The following commit(s) were added to refs/heads/master by this push:
     new ef660083c8 tcp: check option length before d_len update
ef660083c8 is described below

commit ef660083c8ed7c1a78ca856a567b9bc2b4d227d2
Author: zhanghongyu <zh...@xiaomi.com>
AuthorDate: Fri Jul 15 17:10:37 2022 +0800

    tcp: check option length before d_len update
    
    Signed-off-by: zhanghongyu <zh...@xiaomi.com>
---
 net/tcp/tcp_input.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/net/tcp/tcp_input.c b/net/tcp/tcp_input.c
index b48e40b250..f51c17a4cf 100644
--- a/net/tcp/tcp_input.c
+++ b/net/tcp/tcp_input.c
@@ -622,24 +622,23 @@ found:
 
   len = (tcp->tcpoffset >> 4) << 2;
 
-  /* d_len will contain the length of the actual TCP data. This is
-   * calculated by subtracting the length of the TCP header (in
-   * len) and the length of the IP header.
-   */
-
-  dev->d_len -= (len + iplen);
-
   /* d_appdata should remove the tcp specific option field. */
 
   if ((tcp->tcpoffset & 0xf0) > 0x50)
     {
-      len = ((tcp->tcpoffset >> 4) - 5) << 2;
       if (dev->d_len >= len)
         {
-          dev->d_appdata += len;
+          dev->d_appdata += len - TCP_HDRLEN;
         }
     }
 
+  /* d_len will contain the length of the actual TCP data. This is
+   * calculated by subtracting the length of the TCP header (in
+   * len) and the length of the IP header.
+   */
+
+  dev->d_len -= (len + iplen);
+
   /* Check if the sequence number of the incoming packet is what we are
    * expecting next.  If not, we send out an ACK with the correct numbers
    * in, unless we are in the SYN_RCVD state and receive a SYN, in which