summaryrefslogtreecommitdiffstats
path: root/src/vnet/tcp
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2019-04-02 21:43:38 -0700
committerFlorin Coras <florin.coras@gmail.com>2019-04-04 14:40:16 +0000
commit282a3cb7265346e1299c9401b35730b80f4b506b (patch)
treeed50249efa6581ada769da7749a5032a93aace99 /src/vnet/tcp
parent7c22ff72aa54d15484fdc70e0c1b8a9ec5e880e0 (diff)
tcp: properly validate acks between snd_nxt and una_max
Change-Id: I37af3cb5fe3fe8556acbf8350f88663dca9ca8a9 Signed-off-by: Florin Coras <fcoras@cisco.com>
Diffstat (limited to 'src/vnet/tcp')
-rw-r--r--src/vnet/tcp/tcp_input.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/vnet/tcp/tcp_input.c b/src/vnet/tcp/tcp_input.c
index 49270314924..e0139a47e0c 100644
--- a/src/vnet/tcp/tcp_input.c
+++ b/src/vnet/tcp/tcp_input.c
@@ -411,7 +411,8 @@ tcp_rcv_ack_no_cc (tcp_connection_t * tc, vlib_buffer_t * b, u32 * error)
if (!(seq_leq (tc->snd_una, vnet_buffer (b)->tcp.ack_number)
&& seq_leq (vnet_buffer (b)->tcp.ack_number, tc->snd_nxt)))
{
- if (seq_leq (vnet_buffer (b)->tcp.ack_number, tc->snd_una_max))
+ if (seq_leq (vnet_buffer (b)->tcp.ack_number, tc->snd_una_max)
+ && seq_gt (vnet_buffer (b)->tcp.ack_number, tc->snd_una))
{
tc->snd_nxt = vnet_buffer (b)->tcp.ack_number;
goto acceptable;
@@ -1580,7 +1581,8 @@ tcp_rcv_ack (tcp_worker_ctx_t * wrk, tcp_connection_t * tc, vlib_buffer_t * b,
{
/* We've probably entered recovery and the peer still has some
* of the data we've sent. Update snd_nxt and accept the ack */
- if (seq_leq (vnet_buffer (b)->tcp.ack_number, tc->snd_una_max))
+ if (seq_leq (vnet_buffer (b)->tcp.ack_number, tc->snd_una_max)
+ && seq_gt (vnet_buffer (b)->tcp.ack_number, tc->snd_una))
{
tc->snd_nxt = vnet_buffer (b)->tcp.ack_number;
goto process_ack;