net: tcp: Validate incoming ACK number

pfalcon · jukkar · commit ac7b1291dae9 · 2018-01-15T15:07:49.000+02:00
Per RFC 793:

  A new acknowledgment (called an "acceptable ack"), is one for which
  the inequality below holds:

    SND.UNA &lt; SEG.ACK =&lt; SND.NXT

If acknowledgement is received for sequence number which wasn't yet
sent, log an error and ignore it.

Signed-off-by: Paul Sokolovsky &lt;paul.sokolovsky@linaro.org&gt;
diff --git a/subsys/net/ip/net_context.c b/subsys/net/ip/net_context.c
@@ -1192,11 +1192,14 @@ NET_CONN_CB(tcp_established)
 
 	/* Handle TCP state transition */
 	if (tcp_flags & NET_TCP_ACK) {
+		if (!net_tcp_ack_received(context,
+				     sys_get_be32(tcp_hdr->ack))) {
+			return NET_DROP;
+		}
+
 		/* TCP state might be changed after maintaining the sent pkt
 		 * list, e.g., an ack of FIN is received.
 		 */
-		net_tcp_ack_received(context,
-				     sys_get_be32(tcp_hdr->ack));
 
 		if (net_tcp_get_state(context->tcp)
 			   == NET_TCP_FIN_WAIT_1) {
diff --git a/subsys/net/ip/tcp.c b/subsys/net/ip/tcp.c
@@ -901,7 +901,7 @@ int net_tcp_send_data(struct net_context *context)
 	return 0;
 }
 
-void net_tcp_ack_received(struct net_context *ctx, u32_t ack)
+bool net_tcp_ack_received(struct net_context *ctx, u32_t ack)
 {
 	struct net_tcp *tcp = ctx->tcp;
 	sys_slist_t *list = &ctx->tcp->sent_list;
@@ -910,6 +910,16 @@ void net_tcp_ack_received(struct net_context *ctx, u32_t ack)
 	u32_t seq;
 	bool valid_ack = false;
 
+	if (net_tcp_seq_greater(ack, ctx->tcp->send_seq)) {
+		NET_ERR("ctx %p: ACK for unsent data", ctx);
+		net_stats_update_tcp_seg_ackerr();
+		/* RFC 793 doesn't say that invalid ack sequence is an error
+		 * in the general case, but we implement tighter checking,
+		 * and consider entire packet invalid.
+		 */
+		return false;
+	}
+
 	if (IS_ENABLED(CONFIG_NET_STATISTICS_TCP) &&
 	    sys_slist_is_empty(list)) {
 		net_stats_update_tcp_seg_ackerr();
@@ -981,6 +991,8 @@ void net_tcp_ack_received(struct net_context *ctx, u32_t ack)
 			net_tcp_send_data(ctx);
 		}
 	}
+
+	return true;
 }
 
 void net_tcp_init(void)
diff --git a/subsys/net/ip/tcp.h b/subsys/net/ip/tcp.h
@@ -356,8 +356,9 @@ int net_tcp_send_pkt(struct net_pkt *pkt);
  *
  * @param cts Context
  * @param seq Received ACK sequence number
+ * @return False if ACK sequence number is invalid, true otherwise
  */
-void net_tcp_ack_received(struct net_context *ctx, u32_t ack);
+bool net_tcp_ack_received(struct net_context *ctx, u32_t ack);
 
 /**
  * @brief Calculates and returns the MSS for a given TCP context
