Merge pull request #491 from smoltcp-rs/fix-tcp-overflow

tcp: fix substract with overflow when receiving a SYNACK with unincremented ACK number.

src/socket/tcp.rs

@@ -1185,20 +1185,35 @@ impl<'a> TcpSocket<'a> {
                 self.abort();
                 return Err(Error::Dropped)
             }
+            // SYN|ACK in the SYN-SENT state must have the exact ACK number.
+            (State::SynSent, &TcpRepr {
+                control: TcpControl::Syn, ack_number: Some(ack_number), ..
+            }) => {
+                if ack_number != self.local_seq_no + 1 {
+                    net_debug!("{}:{}:{}: unacceptable SYN|ACK in response to initial SYN",
+                               self.meta.handle, self.local_endpoint, self.remote_endpoint);
+                    return Err(Error::Dropped)
+                }
+            }
             // Every acknowledgement must be for transmitted but unacknowledged data.
             (_, &TcpRepr { ack_number: Some(ack_number), .. }) => {
                 let unacknowledged = self.tx_buffer.len() + control_len;
-                if ack_number < self.local_seq_no {
+
+                // Acceptable ACK range (both inclusive)
+                let ack_min = self.local_seq_no;
+                let ack_max = self.local_seq_no + unacknowledged;
+
+                if ack_number < ack_min {
                     net_debug!("{}:{}:{}: duplicate ACK ({} not in {}...{})",
                                self.meta.handle, self.local_endpoint, self.remote_endpoint,
-                               ack_number, self.local_seq_no, self.local_seq_no + unacknowledged);
+                               ack_number, ack_min, ack_max);
                     return Err(Error::Dropped)
                 }
 
-                if ack_number > self.local_seq_no + unacknowledged {
+                if ack_number > ack_max {
                     net_debug!("{}:{}:{}: unacceptable ACK ({} not in {}...{})",
                                self.meta.handle, self.local_endpoint, self.remote_endpoint,
-                               ack_number, self.local_seq_no, self.local_seq_no + unacknowledged);
+                               ack_number, ack_min, ack_max);
                     return Ok(Some(self.ack_reply(ip_repr, &repr)))
                 }
             }
@@ -2736,6 +2751,29 @@ mod test {
         sanity!(s, socket_established());
     }
 
+    #[test]
+    fn test_syn_sent_syn_ack_not_incremented() {
+        let mut s = socket_syn_sent();
+        recv!(s, [TcpRepr {
+            control:    TcpControl::Syn,
+            seq_number: LOCAL_SEQ,
+            ack_number: None,
+            max_seg_size: Some(BASE_MSS),
+            window_scale: Some(0),
+            sack_permitted: true,
+            ..RECV_TEMPL
+        }]);
+        send!(s, TcpRepr {
+            control:    TcpControl::Syn,
+            seq_number: REMOTE_SEQ,
+            ack_number: Some(LOCAL_SEQ), // WRONG
+            max_seg_size: Some(BASE_MSS - 80),
+            window_scale: Some(0),
+            ..SEND_TEMPL
+        }, Err(Error::Dropped));
+        assert_eq!(s.state, State::SynSent);
+    }
+
     #[test]
     fn test_syn_sent_rst() {
         let mut s = socket_syn_sent();