1 /**
2  * @file
3  * Transmission Control Protocol, incoming traffic
4  *
5  * The input processing functions of the TCP layer.
6  *
7  * These functions are generally called in the order (ip_input() ->)
8  * tcp_input() -> * tcp_process() -> tcp_receive() (-> application).
9  *
10  */
11 
12 /*
13  * Copyright (c) 2001-2004 Swedish Institute of Computer Science.
14  * All rights reserved.
15  *
16  * Redistribution and use in source and binary forms, with or without modification,
17  * are permitted provided that the following conditions are met:
18  *
19  * 1. Redistributions of source code must retain the above copyright notice,
20  *    this list of conditions and the following disclaimer.
21  * 2. Redistributions in binary form must reproduce the above copyright notice,
22  *    this list of conditions and the following disclaimer in the documentation
23  *    and/or other materials provided with the distribution.
24  * 3. The name of the author may not be used to endorse or promote products
25  *    derived from this software without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
28  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
29  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
30  * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
31  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
32  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
33  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
34  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
35  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
36  * OF SUCH DAMAGE.
37  *
38  * This file is part of the lwIP TCP/IP stack.
39  *
40  * Author: Adam Dunkels <adam@sics.se>
41  *
42  */
43 
44 #include "lwip/opt.h"
45 
46 #if LWIP_TCP /* don't build if not configured for use in lwipopts.h */
47 
48 #include "lwip/tcp_impl.h"
49 #include "lwip/def.h"
50 #include "lwip/ip_addr.h"
51 #include "lwip/netif.h"
52 #include "lwip/mem.h"
53 #include "lwip/memp.h"
54 #include "lwip/inet_chksum.h"
55 #include "lwip/stats.h"
56 #include "lwip/snmp.h"
57 #include "arch/perf.h"
58 
59 /* These variables are global to all functions involved in the input
60    processing of TCP segments. They are set by the tcp_input()
61    function. */
62 static struct tcp_seg inseg;
63 static struct tcp_hdr *tcphdr;
64 static struct ip_hdr *iphdr;
65 static u32_t seqno, ackno;
66 static u8_t flags;
67 static u16_t tcplen;
68 
69 static u8_t recv_flags;
70 static struct pbuf *recv_data;
71 
72 struct tcp_pcb *tcp_input_pcb;
73 
74 /* Forward declarations. */
75 static err_t tcp_process(struct tcp_pcb *pcb);
76 static void tcp_receive(struct tcp_pcb *pcb);
77 static void tcp_parseopt(struct tcp_pcb *pcb);
78 
79 static err_t tcp_listen_input(struct tcp_pcb_listen *pcb);
80 static err_t tcp_timewait_input(struct tcp_pcb *pcb);
81 
82 /**
83  * The initial input processing of TCP. It verifies the TCP header, demultiplexes
84  * the segment between the PCBs and passes it on to tcp_process(), which implements
85  * the TCP finite state machine. This function is called by the IP layer (in
86  * ip_input()).
87  *
88  * @param p received TCP segment to process (p->payload pointing to the IP header)
89  * @param inp network interface on which this segment was received
90  */
91 void
tcp_input(struct pbuf * p,struct netif * inp)92 tcp_input(struct pbuf *p, struct netif *inp)
93 {
94   struct tcp_pcb *pcb, *prev;
95   struct tcp_pcb_listen *lpcb;
96 #if SO_REUSE
97   struct tcp_pcb *lpcb_prev = NULL;
98   struct tcp_pcb_listen *lpcb_any = NULL;
99 #endif /* SO_REUSE */
100   u8_t hdrlen;
101   err_t err;
102 
103   PERF_START;
104 
105   TCP_STATS_INC(tcp.recv);
106   snmp_inc_tcpinsegs();
107 
108   iphdr = (struct ip_hdr *)p->payload;
109   tcphdr = (struct tcp_hdr *)((u8_t *)p->payload + IPH_HL(iphdr) * 4);
110 
111 #if TCP_INPUT_DEBUG
112   tcp_debug_print(tcphdr);
113 #endif
114 
115   /* remove header from payload */
116   if (pbuf_header(p, -((s16_t)(IPH_HL(iphdr) * 4))) || (p->tot_len < sizeof(struct tcp_hdr))) {
117     /* drop short packets */
118     LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_input: short packet (%"U16_F" bytes) discarded\n", p->tot_len));
119     TCP_STATS_INC(tcp.lenerr);
120     TCP_STATS_INC(tcp.drop);
121     snmp_inc_tcpinerrs();
122     pbuf_free(p);
123     return;
124   }
125 
126   /* Don't even process incoming broadcasts/multicasts. */
127   if (ip_addr_isbroadcast(&current_iphdr_dest, inp) ||
128       ip_addr_ismulticast(&current_iphdr_dest)) {
129     TCP_STATS_INC(tcp.proterr);
130     TCP_STATS_INC(tcp.drop);
131     snmp_inc_tcpinerrs();
132     pbuf_free(p);
133     return;
134   }
135 
136 #if CHECKSUM_CHECK_TCP
137   /* Verify TCP checksum. */
138   if (inet_chksum_pseudo(p, ip_current_src_addr(), ip_current_dest_addr(),
139       IP_PROTO_TCP, p->tot_len) != 0) {
140       LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_input: packet discarded due to failing checksum 0x%04"X16_F"\n",
141         inet_chksum_pseudo(p, ip_current_src_addr(), ip_current_dest_addr(),
142       IP_PROTO_TCP, p->tot_len)));
143 #if TCP_DEBUG
144     tcp_debug_print(tcphdr);
145 #endif /* TCP_DEBUG */
146     TCP_STATS_INC(tcp.chkerr);
147     TCP_STATS_INC(tcp.drop);
148     snmp_inc_tcpinerrs();
149     pbuf_free(p);
150     return;
151   }
152 #endif
153 
154   /* Move the payload pointer in the pbuf so that it points to the
155      TCP data instead of the TCP header. */
156   hdrlen = TCPH_HDRLEN(tcphdr);
157   if(pbuf_header(p, -(hdrlen * 4))){
158     /* drop short packets */
159     LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_input: short packet\n"));
160     TCP_STATS_INC(tcp.lenerr);
161     TCP_STATS_INC(tcp.drop);
162     snmp_inc_tcpinerrs();
163     pbuf_free(p);
164     return;
165   }
166 
167   /* Convert fields in TCP header to host byte order. */
168   tcphdr->src = ntohs(tcphdr->src);
169   tcphdr->dest = ntohs(tcphdr->dest);
170   seqno = tcphdr->seqno = ntohl(tcphdr->seqno);
171   ackno = tcphdr->ackno = ntohl(tcphdr->ackno);
172   tcphdr->wnd = ntohs(tcphdr->wnd);
173 
174   flags = TCPH_FLAGS(tcphdr);
175   tcplen = p->tot_len + ((flags & (TCP_FIN | TCP_SYN)) ? 1 : 0);
176 
177   /* Demultiplex an incoming segment. First, we check if it is destined
178      for an active connection. */
179   prev = NULL;
180 
181 
182   for(pcb = tcp_active_pcbs; pcb != NULL; pcb = pcb->next) {
183     LWIP_ASSERT("tcp_input: active pcb->state != CLOSED", pcb->state != CLOSED);
184     LWIP_ASSERT("tcp_input: active pcb->state != TIME-WAIT", pcb->state != TIME_WAIT);
185     LWIP_ASSERT("tcp_input: active pcb->state != LISTEN", pcb->state != LISTEN);
186     if (pcb->remote_port == tcphdr->src &&
187        pcb->local_port == tcphdr->dest &&
188        ip_addr_cmp(&(pcb->remote_ip), &current_iphdr_src) &&
189        ip_addr_cmp(&(pcb->local_ip), &current_iphdr_dest)) {
190 
191       /* Move this PCB to the front of the list so that subsequent
192          lookups will be faster (we exploit locality in TCP segment
193          arrivals). */
194       LWIP_ASSERT("tcp_input: pcb->next != pcb (before cache)", pcb->next != pcb);
195       if (prev != NULL) {
196         prev->next = pcb->next;
197         pcb->next = tcp_active_pcbs;
198         tcp_active_pcbs = pcb;
199       }
200       LWIP_ASSERT("tcp_input: pcb->next != pcb (after cache)", pcb->next != pcb);
201       break;
202     }
203     prev = pcb;
204   }
205 
206   if (pcb == NULL) {
207     /* If it did not go to an active connection, we check the connections
208        in the TIME-WAIT state. */
209     for(pcb = tcp_tw_pcbs; pcb != NULL; pcb = pcb->next) {
210       LWIP_ASSERT("tcp_input: TIME-WAIT pcb->state == TIME-WAIT", pcb->state == TIME_WAIT);
211       if (pcb->remote_port == tcphdr->src &&
212          pcb->local_port == tcphdr->dest &&
213          ip_addr_cmp(&(pcb->remote_ip), &current_iphdr_src) &&
214          ip_addr_cmp(&(pcb->local_ip), &current_iphdr_dest)) {
215         /* We don't really care enough to move this PCB to the front
216            of the list since we are not very likely to receive that
217            many segments for connections in TIME-WAIT. */
218         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_input: packed for TIME_WAITing connection.\n"));
219         tcp_timewait_input(pcb);
220         pbuf_free(p);
221         return;
222       }
223     }
224 
225     /* Finally, if we still did not get a match, we check all PCBs that
226        are LISTENing for incoming connections. */
227     prev = NULL;
228     for(lpcb = tcp_listen_pcbs.listen_pcbs; lpcb != NULL; lpcb = lpcb->next) {
229       if (lpcb->local_port == tcphdr->dest) {
230 #if SO_REUSE
231         if (ip_addr_cmp(&(lpcb->local_ip), &current_iphdr_dest)) {
232           /* found an exact match */
233           break;
234         } else if(ip_addr_isany(&(lpcb->local_ip))) {
235           /* found an ANY-match */
236           lpcb_any = lpcb;
237           lpcb_prev = prev;
238         }
239 #else /* SO_REUSE */
240         if (ip_addr_cmp(&(lpcb->local_ip), &current_iphdr_dest) ||
241             ip_addr_isany(&(lpcb->local_ip))) {
242           /* found a match */
243           break;
244         }
245 #endif /* SO_REUSE */
246       }
247       prev = (struct tcp_pcb *)lpcb;
248     }
249 #if SO_REUSE
250     /* first try specific local IP */
251     if (lpcb == NULL) {
252       /* only pass to ANY if no specific local IP has been found */
253       lpcb = lpcb_any;
254       prev = lpcb_prev;
255     }
256 #endif /* SO_REUSE */
257     if (lpcb != NULL) {
258       /* Move this PCB to the front of the list so that subsequent
259          lookups will be faster (we exploit locality in TCP segment
260          arrivals). */
261       if (prev != NULL) {
262         ((struct tcp_pcb_listen *)prev)->next = lpcb->next;
263               /* our successor is the remainder of the listening list */
264         lpcb->next = tcp_listen_pcbs.listen_pcbs;
265               /* put this listening pcb at the head of the listening list */
266         tcp_listen_pcbs.listen_pcbs = lpcb;
267       }
268 
269       LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_input: packed for LISTENing connection.\n"));
270       tcp_listen_input(lpcb);
271       pbuf_free(p);
272       return;
273     }
274   }
275 
276 #if TCP_INPUT_DEBUG
277   LWIP_DEBUGF(TCP_INPUT_DEBUG, ("+-+-+-+-+-+-+-+-+-+-+-+-+-+- tcp_input: flags "));
278   tcp_debug_print_flags(TCPH_FLAGS(tcphdr));
279   LWIP_DEBUGF(TCP_INPUT_DEBUG, ("-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n"));
280 #endif /* TCP_INPUT_DEBUG */
281 
282 
283   if (pcb != NULL) {
284     /* The incoming segment belongs to a connection. */
285 #if TCP_INPUT_DEBUG
286 #if TCP_DEBUG
287     tcp_debug_print_state(pcb->state);
288 #endif /* TCP_DEBUG */
289 #endif /* TCP_INPUT_DEBUG */
290 
291     /* Set up a tcp_seg structure. */
292     inseg.next = NULL;
293     inseg.len = p->tot_len;
294     inseg.p = p;
295     inseg.tcphdr = tcphdr;
296 
297     recv_data = NULL;
298     recv_flags = 0;
299 
300     /* If there is data which was previously "refused" by upper layer */
301     if (pcb->refused_data != NULL) {
302       /* Notify again application with data previously received. */
303       LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_input: notify kept packet\n"));
304       TCP_EVENT_RECV(pcb, pcb->refused_data, ERR_OK, err);
305       if (err == ERR_OK) {
306         pcb->refused_data = NULL;
307       } else if ((err == ERR_ABRT) || (tcplen > 0)) {
308         /* if err == ERR_ABRT, 'pcb' is already deallocated */
309         /* Drop incoming packets because pcb is "full" (only if the incoming
310            segment contains data). */
311         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_input: drop incoming packets, because pcb is \"full\"\n"));
312         TCP_STATS_INC(tcp.drop);
313         snmp_inc_tcpinerrs();
314         pbuf_free(p);
315         return;
316       }
317     }
318     tcp_input_pcb = pcb;
319     err = tcp_process(pcb);
320     /* A return value of ERR_ABRT means that tcp_abort() was called
321        and that the pcb has been freed. If so, we don't do anything. */
322     if (err != ERR_ABRT) {
323       if (recv_flags & TF_RESET) {
324         /* TF_RESET means that the connection was reset by the other
325            end. We then call the error callback to inform the
326            application that the connection is dead before we
327            deallocate the PCB. */
328         TCP_EVENT_ERR(pcb->errf, pcb->callback_arg, ERR_RST);
329         tcp_pcb_remove(&tcp_active_pcbs, pcb);
330         memp_free(MEMP_TCP_PCB, pcb);
331       } else if (recv_flags & TF_CLOSED) {
332         /* The connection has been closed and we will deallocate the
333            PCB. */
334         tcp_pcb_remove(&tcp_active_pcbs, pcb);
335         memp_free(MEMP_TCP_PCB, pcb);
336       } else {
337         err = ERR_OK;
338         /* If the application has registered a "sent" function to be
339            called when new send buffer space is available, we call it
340            now. */
341         if (pcb->acked > 0) {
342           TCP_EVENT_SENT(pcb, pcb->acked, err);
343           if (err == ERR_ABRT) {
344             goto aborted;
345           }
346         }
347 
348         if (recv_data != NULL) {
349           LWIP_ASSERT("pcb->refused_data == NULL", pcb->refused_data == NULL);
350           if (pcb->flags & TF_RXCLOSED) {
351             /* received data although already closed -> abort (send RST) to
352                notify the remote host that not all data has been processed */
353             pbuf_free(recv_data);
354             tcp_abort(pcb);
355             goto aborted;
356           }
357           if (flags & TCP_PSH) {
358             recv_data->flags |= PBUF_FLAG_PUSH;
359           }
360 
361           /* Notify application that data has been received. */
362           TCP_EVENT_RECV(pcb, recv_data, ERR_OK, err);
363           if (err == ERR_ABRT) {
364             goto aborted;
365           }
366 
367           /* If the upper layer can't receive this data, store it */
368           if (err != ERR_OK) {
369             pcb->refused_data = recv_data;
370             LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_input: keep incoming packet, because pcb is \"full\"\n"));
371           }
372         }
373 
374         /* If a FIN segment was received, we call the callback
375            function with a NULL buffer to indicate EOF. */
376         if (recv_flags & TF_GOT_FIN) {
377           /* correct rcv_wnd as the application won't call tcp_recved()
378              for the FIN's seqno */
379           if (pcb->rcv_wnd != TCP_WND) {
380             pcb->rcv_wnd++;
381           }
382           TCP_EVENT_CLOSED(pcb, err);
383           if (err == ERR_ABRT) {
384             goto aborted;
385           }
386         }
387 
388         tcp_input_pcb = NULL;
389         /* Try to send something out. */
390         tcp_output(pcb);
391 #if TCP_INPUT_DEBUG
392 #if TCP_DEBUG
393         tcp_debug_print_state(pcb->state);
394 #endif /* TCP_DEBUG */
395 #endif /* TCP_INPUT_DEBUG */
396       }
397     }
398     /* Jump target if pcb has been aborted in a callback (by calling tcp_abort()).
399        Below this line, 'pcb' may not be dereferenced! */
400 aborted:
401     tcp_input_pcb = NULL;
402     recv_data = NULL;
403 
404     /* give up our reference to inseg.p */
405     if (inseg.p != NULL)
406     {
407       pbuf_free(inseg.p);
408       inseg.p = NULL;
409     }
410   } else {
411 
412     /* If no matching PCB was found, send a TCP RST (reset) to the
413        sender. */
414     LWIP_DEBUGF(TCP_RST_DEBUG, ("tcp_input: no PCB match found, resetting.\n"));
415     if (!(TCPH_FLAGS(tcphdr) & TCP_RST)) {
416       TCP_STATS_INC(tcp.proterr);
417       TCP_STATS_INC(tcp.drop);
418       tcp_rst(ackno, seqno + tcplen,
419         ip_current_dest_addr(), ip_current_src_addr(),
420         tcphdr->dest, tcphdr->src);
421     }
422     pbuf_free(p);
423   }
424 
425   LWIP_ASSERT("tcp_input: tcp_pcbs_sane()", tcp_pcbs_sane());
426   PERF_STOP("tcp_input");
427 }
428 
429 /**
430  * Called by tcp_input() when a segment arrives for a listening
431  * connection (from tcp_input()).
432  *
433  * @param pcb the tcp_pcb_listen for which a segment arrived
434  * @return ERR_OK if the segment was processed
435  *         another err_t on error
436  *
437  * @note the return value is not (yet?) used in tcp_input()
438  * @note the segment which arrived is saved in global variables, therefore only the pcb
439  *       involved is passed as a parameter to this function
440  */
441 static err_t
tcp_listen_input(struct tcp_pcb_listen * pcb)442 tcp_listen_input(struct tcp_pcb_listen *pcb)
443 {
444   struct tcp_pcb *npcb;
445   err_t rc;
446 
447   /* In the LISTEN state, we check for incoming SYN segments,
448      creates a new PCB, and responds with a SYN|ACK. */
449   if (flags & TCP_ACK) {
450     /* For incoming segments with the ACK flag set, respond with a
451        RST. */
452     LWIP_DEBUGF(TCP_RST_DEBUG, ("tcp_listen_input: ACK in LISTEN, sending reset\n"));
453     tcp_rst(ackno + 1, seqno + tcplen,
454       ip_current_dest_addr(), ip_current_src_addr(),
455       tcphdr->dest, tcphdr->src);
456   } else if (flags & TCP_SYN) {
457     LWIP_DEBUGF(TCP_DEBUG, ("TCP connection request %"U16_F" -> %"U16_F".\n", tcphdr->src, tcphdr->dest));
458 #if TCP_LISTEN_BACKLOG
459     if (pcb->accepts_pending >= pcb->backlog) {
460       LWIP_DEBUGF(TCP_DEBUG, ("tcp_listen_input: listen backlog exceeded for port %"U16_F"\n", tcphdr->dest));
461       return ERR_ABRT;
462     }
463 #endif /* TCP_LISTEN_BACKLOG */
464     npcb = tcp_alloc(pcb->prio);
465     /* If a new PCB could not be created (probably due to lack of memory),
466        we don't do anything, but rely on the sender will retransmit the
467        SYN at a time when we have more memory available. */
468     if (npcb == NULL) {
469       LWIP_DEBUGF(TCP_DEBUG, ("tcp_listen_input: could not allocate PCB\n"));
470       TCP_STATS_INC(tcp.memerr);
471       return ERR_MEM;
472     }
473 #if TCP_LISTEN_BACKLOG
474     pcb->accepts_pending++;
475 #endif /* TCP_LISTEN_BACKLOG */
476     /* Set up the new PCB. */
477     ip_addr_copy(npcb->local_ip, current_iphdr_dest);
478     npcb->local_port = pcb->local_port;
479     ip_addr_copy(npcb->remote_ip, current_iphdr_src);
480     npcb->remote_port = tcphdr->src;
481     npcb->state = SYN_RCVD;
482     npcb->rcv_nxt = seqno + 1;
483     npcb->rcv_ann_right_edge = npcb->rcv_nxt;
484     npcb->snd_wnd = tcphdr->wnd;
485     npcb->ssthresh = npcb->snd_wnd;
486     npcb->snd_wl1 = seqno - 1;/* initialise to seqno-1 to force window update */
487     npcb->callback_arg = pcb->callback_arg;
488 #if LWIP_CALLBACK_API
489     npcb->accept = pcb->accept;
490 #endif /* LWIP_CALLBACK_API */
491     /* inherit socket options */
492     npcb->so_options = pcb->so_options & SOF_INHERITED;
493     /* Register the new PCB so that we can begin receiving segments
494        for it. */
495     TCP_REG(&tcp_active_pcbs, npcb);
496 
497     /* Parse any options in the SYN. */
498     tcp_parseopt(npcb);
499 #if TCP_CALCULATE_EFF_SEND_MSS
500     npcb->mss = tcp_eff_send_mss(npcb->mss, &(npcb->remote_ip));
501 #endif /* TCP_CALCULATE_EFF_SEND_MSS */
502 
503     snmp_inc_tcppassiveopens();
504 
505     /* Send a SYN|ACK together with the MSS option. */
506     rc = tcp_enqueue_flags(npcb, TCP_SYN | TCP_ACK);
507     if (rc != ERR_OK) {
508       tcp_abandon(npcb, 0);
509       return rc;
510     }
511     return tcp_output(npcb);
512   }
513   return ERR_OK;
514 }
515 
516 /**
517  * Called by tcp_input() when a segment arrives for a connection in
518  * TIME_WAIT.
519  *
520  * @param pcb the tcp_pcb for which a segment arrived
521  *
522  * @note the segment which arrived is saved in global variables, therefore only the pcb
523  *       involved is passed as a parameter to this function
524  */
525 static err_t
tcp_timewait_input(struct tcp_pcb * pcb)526 tcp_timewait_input(struct tcp_pcb *pcb)
527 {
528   /* RFC 1337: in TIME_WAIT, ignore RST and ACK FINs + any 'acceptable' segments */
529   /* RFC 793 3.9 Event Processing - Segment Arrives:
530    * - first check sequence number - we skip that one in TIME_WAIT (always
531    *   acceptable since we only send ACKs)
532    * - second check the RST bit (... return) */
533   if (flags & TCP_RST)  {
534     return ERR_OK;
535   }
536   /* - fourth, check the SYN bit, */
537   if (flags & TCP_SYN) {
538     /* If an incoming segment is not acceptable, an acknowledgment
539        should be sent in reply */
540     if (TCP_SEQ_BETWEEN(seqno, pcb->rcv_nxt, pcb->rcv_nxt+pcb->rcv_wnd)) {
541       /* If the SYN is in the window it is an error, send a reset */
542       tcp_rst(ackno, seqno + tcplen, ip_current_dest_addr(), ip_current_src_addr(),
543         tcphdr->dest, tcphdr->src);
544       return ERR_OK;
545     }
546   } else if (flags & TCP_FIN) {
547     /* - eighth, check the FIN bit: Remain in the TIME-WAIT state.
548          Restart the 2 MSL time-wait timeout.*/
549     pcb->tmr = tcp_ticks;
550   }
551 
552   if ((tcplen > 0))  {
553     /* Acknowledge data, FIN or out-of-window SYN */
554     pcb->flags |= TF_ACK_NOW;
555     return tcp_output(pcb);
556   }
557   return ERR_OK;
558 }
559 
560 /**
561  * Implements the TCP state machine. Called by tcp_input. In some
562  * states tcp_receive() is called to receive data. The tcp_seg
563  * argument will be freed by the caller (tcp_input()) unless the
564  * recv_data pointer in the pcb is set.
565  *
566  * @param pcb the tcp_pcb for which a segment arrived
567  *
568  * @note the segment which arrived is saved in global variables, therefore only the pcb
569  *       involved is passed as a parameter to this function
570  */
571 static err_t
tcp_process(struct tcp_pcb * pcb)572 tcp_process(struct tcp_pcb *pcb)
573 {
574   struct tcp_seg *rseg;
575   u8_t acceptable = 0;
576   err_t err;
577 
578   err = ERR_OK;
579 
580   /* Process incoming RST segments. */
581   if (flags & TCP_RST) {
582     /* First, determine if the reset is acceptable. */
583     if (pcb->state == SYN_SENT) {
584       if (ackno == pcb->snd_nxt) {
585         acceptable = 1;
586       }
587     } else {
588       if (TCP_SEQ_BETWEEN(seqno, pcb->rcv_nxt,
589                           pcb->rcv_nxt+pcb->rcv_wnd)) {
590         acceptable = 1;
591       }
592     }
593 
594     if (acceptable) {
595       LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_process: Connection RESET\n"));
596       LWIP_ASSERT("tcp_input: pcb->state != CLOSED", pcb->state != CLOSED);
597       recv_flags |= TF_RESET;
598       pcb->flags &= ~TF_ACK_DELAY;
599       return ERR_RST;
600     } else {
601       LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_process: unacceptable reset seqno %"U32_F" rcv_nxt %"U32_F"\n",
602        seqno, pcb->rcv_nxt));
603       LWIP_DEBUGF(TCP_DEBUG, ("tcp_process: unacceptable reset seqno %"U32_F" rcv_nxt %"U32_F"\n",
604        seqno, pcb->rcv_nxt));
605       return ERR_OK;
606     }
607   }
608 
609   if ((flags & TCP_SYN) && (pcb->state != SYN_SENT && pcb->state != SYN_RCVD)) {
610     /* Cope with new connection attempt after remote end crashed */
611     tcp_ack_now(pcb);
612     return ERR_OK;
613   }
614 
615   if ((pcb->flags & TF_RXCLOSED) == 0) {
616     /* Update the PCB (in)activity timer unless rx is closed (see tcp_shutdown) */
617     pcb->tmr = tcp_ticks;
618   }
619   pcb->keep_cnt_sent = 0;
620 
621   tcp_parseopt(pcb);
622 
623   /* Do different things depending on the TCP state. */
624   switch (pcb->state) {
625   case SYN_SENT:
626     LWIP_DEBUGF(TCP_INPUT_DEBUG, ("SYN-SENT: ackno %"U32_F" pcb->snd_nxt %"U32_F" unacked %"U32_F"\n", ackno,
627      pcb->snd_nxt, ntohl(pcb->unacked->tcphdr->seqno)));
628     /* received SYN ACK with expected sequence number? */
629     if ((flags & TCP_ACK) && (flags & TCP_SYN)
630         && ackno == ntohl(pcb->unacked->tcphdr->seqno) + 1) {
631       pcb->snd_buf++;
632       pcb->rcv_nxt = seqno + 1;
633       pcb->rcv_ann_right_edge = pcb->rcv_nxt;
634       pcb->lastack = ackno;
635       pcb->snd_wnd = tcphdr->wnd;
636       pcb->snd_wl1 = seqno - 1; /* initialise to seqno - 1 to force window update */
637       pcb->state = ESTABLISHED;
638 
639 #if TCP_CALCULATE_EFF_SEND_MSS
640       pcb->mss = tcp_eff_send_mss(pcb->mss, &(pcb->remote_ip));
641 #endif /* TCP_CALCULATE_EFF_SEND_MSS */
642 
643       /* Set ssthresh again after changing pcb->mss (already set in tcp_connect
644        * but for the default value of pcb->mss) */
645       pcb->ssthresh = pcb->mss * 10;
646 
647       pcb->cwnd = ((pcb->cwnd == 1) ? (pcb->mss * 2) : pcb->mss);
648       LWIP_ASSERT("pcb->snd_queuelen > 0", (pcb->snd_queuelen > 0));
649       --pcb->snd_queuelen;
650       LWIP_DEBUGF(TCP_QLEN_DEBUG, ("tcp_process: SYN-SENT --queuelen %"U16_F"\n", (u16_t)pcb->snd_queuelen));
651       rseg = pcb->unacked;
652       pcb->unacked = rseg->next;
653 
654       /* If there's nothing left to acknowledge, stop the retransmit
655          timer, otherwise reset it to start again */
656       if(pcb->unacked == NULL)
657         pcb->rtime = -1;
658       else {
659         pcb->rtime = 0;
660         pcb->nrtx = 0;
661       }
662 
663       tcp_seg_free(rseg);
664 
665       /* Call the user specified function to call when sucessfully
666        * connected. */
667       TCP_EVENT_CONNECTED(pcb, ERR_OK, err);
668       if (err == ERR_ABRT) {
669         return ERR_ABRT;
670       }
671       tcp_ack_now(pcb);
672     }
673     /* received ACK? possibly a half-open connection */
674     else if (flags & TCP_ACK) {
675       /* send a RST to bring the other side in a non-synchronized state. */
676       tcp_rst(ackno, seqno + tcplen, ip_current_dest_addr(), ip_current_src_addr(),
677         tcphdr->dest, tcphdr->src);
678     }
679     break;
680   case SYN_RCVD:
681     if (flags & TCP_ACK) {
682       /* expected ACK number? */
683       if (TCP_SEQ_BETWEEN(ackno, pcb->lastack+1, pcb->snd_nxt)) {
684         u16_t old_cwnd;
685         pcb->state = ESTABLISHED;
686         LWIP_DEBUGF(TCP_DEBUG, ("TCP connection established %"U16_F" -> %"U16_F".\n", inseg.tcphdr->src, inseg.tcphdr->dest));
687 #if LWIP_CALLBACK_API
688         LWIP_ASSERT("pcb->accept != NULL", pcb->accept != NULL);
689 #endif
690         /* Call the accept function. */
691         TCP_EVENT_ACCEPT(pcb, ERR_OK, err);
692         if (err != ERR_OK) {
693           /* If the accept function returns with an error, we abort
694            * the connection. */
695           /* Already aborted? */
696           if (err != ERR_ABRT) {
697             tcp_abort(pcb);
698           }
699           return ERR_ABRT;
700         }
701         old_cwnd = pcb->cwnd;
702         /* If there was any data contained within this ACK,
703          * we'd better pass it on to the application as well. */
704         tcp_receive(pcb);
705 
706         /* Prevent ACK for SYN to generate a sent event */
707         if (pcb->acked != 0) {
708           pcb->acked--;
709         }
710 
711         pcb->cwnd = ((old_cwnd == 1) ? (pcb->mss * 2) : pcb->mss);
712 
713         if (recv_flags & TF_GOT_FIN) {
714           tcp_ack_now(pcb);
715           pcb->state = CLOSE_WAIT;
716         }
717       } else {
718         /* incorrect ACK number, send RST */
719         tcp_rst(ackno, seqno + tcplen, ip_current_dest_addr(), ip_current_src_addr(),
720                 tcphdr->dest, tcphdr->src);
721       }
722     } else if ((flags & TCP_SYN) && (seqno == pcb->rcv_nxt - 1)) {
723       /* Looks like another copy of the SYN - retransmit our SYN-ACK */
724       tcp_rexmit(pcb);
725     }
726     break;
727   case CLOSE_WAIT:
728     /* FALLTHROUGH */
729   case ESTABLISHED:
730     tcp_receive(pcb);
731     if (recv_flags & TF_GOT_FIN) { /* passive close */
732       tcp_ack_now(pcb);
733       pcb->state = CLOSE_WAIT;
734     }
735     break;
736   case FIN_WAIT_1:
737     tcp_receive(pcb);
738     if (recv_flags & TF_GOT_FIN) {
739       if ((flags & TCP_ACK) && (ackno == pcb->snd_nxt)) {
740         LWIP_DEBUGF(TCP_DEBUG,
741           ("TCP connection closed: FIN_WAIT_1 %"U16_F" -> %"U16_F".\n", inseg.tcphdr->src, inseg.tcphdr->dest));
742         tcp_ack_now(pcb);
743         tcp_pcb_purge(pcb);
744         TCP_RMV(&tcp_active_pcbs, pcb);
745         pcb->state = TIME_WAIT;
746         TCP_REG(&tcp_tw_pcbs, pcb);
747       } else {
748         tcp_ack_now(pcb);
749         pcb->state = CLOSING;
750       }
751     } else if ((flags & TCP_ACK) && (ackno == pcb->snd_nxt)) {
752       pcb->state = FIN_WAIT_2;
753     }
754     break;
755   case FIN_WAIT_2:
756     tcp_receive(pcb);
757     if (recv_flags & TF_GOT_FIN) {
758       LWIP_DEBUGF(TCP_DEBUG, ("TCP connection closed: FIN_WAIT_2 %"U16_F" -> %"U16_F".\n", inseg.tcphdr->src, inseg.tcphdr->dest));
759       tcp_ack_now(pcb);
760       tcp_pcb_purge(pcb);
761       TCP_RMV(&tcp_active_pcbs, pcb);
762       pcb->state = TIME_WAIT;
763       TCP_REG(&tcp_tw_pcbs, pcb);
764     }
765     break;
766   case CLOSING:
767     tcp_receive(pcb);
768     if (flags & TCP_ACK && ackno == pcb->snd_nxt) {
769       LWIP_DEBUGF(TCP_DEBUG, ("TCP connection closed: CLOSING %"U16_F" -> %"U16_F".\n", inseg.tcphdr->src, inseg.tcphdr->dest));
770       tcp_pcb_purge(pcb);
771       TCP_RMV(&tcp_active_pcbs, pcb);
772       pcb->state = TIME_WAIT;
773       TCP_REG(&tcp_tw_pcbs, pcb);
774     }
775     break;
776   case LAST_ACK:
777     tcp_receive(pcb);
778     if (flags & TCP_ACK && ackno == pcb->snd_nxt) {
779       LWIP_DEBUGF(TCP_DEBUG, ("TCP connection closed: LAST_ACK %"U16_F" -> %"U16_F".\n", inseg.tcphdr->src, inseg.tcphdr->dest));
780       /* bugfix #21699: don't set pcb->state to CLOSED here or we risk leaking segments */
781       recv_flags |= TF_CLOSED;
782     }
783     break;
784   default:
785     break;
786   }
787   return ERR_OK;
788 }
789 
790 #if TCP_QUEUE_OOSEQ
791 /**
792  * Insert segment into the list (segments covered with new one will be deleted)
793  *
794  * Called from tcp_receive()
795  */
796 static void
tcp_oos_insert_segment(struct tcp_seg * cseg,struct tcp_seg * next)797 tcp_oos_insert_segment(struct tcp_seg *cseg, struct tcp_seg *next)
798 {
799   struct tcp_seg *old_seg;
800 
801   if (TCPH_FLAGS(cseg->tcphdr) & TCP_FIN) {
802     /* received segment overlaps all following segments */
803     tcp_segs_free(next);
804     next = NULL;
805   }
806   else {
807     /* delete some following segments
808        oos queue may have segments with FIN flag */
809     while (next &&
810            TCP_SEQ_GEQ((seqno + cseg->len),
811                       (next->tcphdr->seqno + next->len))) {
812       /* cseg with FIN already processed */
813       if (TCPH_FLAGS(next->tcphdr) & TCP_FIN) {
814         TCPH_SET_FLAG(cseg->tcphdr, TCP_FIN);
815       }
816       old_seg = next;
817       next = next->next;
818       tcp_seg_free(old_seg);
819     }
820     if (next &&
821         TCP_SEQ_GT(seqno + cseg->len, next->tcphdr->seqno)) {
822       /* We need to trim the incoming segment. */
823       cseg->len = (u16_t)(next->tcphdr->seqno - seqno);
824       pbuf_realloc(cseg->p, cseg->len);
825     }
826   }
827   cseg->next = next;
828 }
829 #endif /* TCP_QUEUE_OOSEQ */
830 
831 /**
832  * Called by tcp_process. Checks if the given segment is an ACK for outstanding
833  * data, and if so frees the memory of the buffered data. Next, is places the
834  * segment on any of the receive queues (pcb->recved or pcb->ooseq). If the segment
835  * is buffered, the pbuf is referenced by pbuf_ref so that it will not be freed until
836  * i it has been removed from the buffer.
837  *
838  * If the incoming segment constitutes an ACK for a segment that was used for RTT
839  * estimation, the RTT is estimated here as well.
840  *
841  * Called from tcp_process().
842  */
843 static void
tcp_receive(struct tcp_pcb * pcb)844 tcp_receive(struct tcp_pcb *pcb)
845 {
846   struct tcp_seg *next;
847 #if TCP_QUEUE_OOSEQ
848   struct tcp_seg *prev, *cseg;
849 #endif /* TCP_QUEUE_OOSEQ */
850   struct pbuf *p;
851   s32_t off;
852   s16_t m;
853   u32_t right_wnd_edge;
854   u16_t new_tot_len;
855   int found_dupack = 0;
856 
857   if (flags & TCP_ACK) {
858     right_wnd_edge = pcb->snd_wnd + pcb->snd_wl2;
859 
860     /* Update window. */
861     if (TCP_SEQ_LT(pcb->snd_wl1, seqno) ||
862        (pcb->snd_wl1 == seqno && TCP_SEQ_LT(pcb->snd_wl2, ackno)) ||
863        (pcb->snd_wl2 == ackno && tcphdr->wnd > pcb->snd_wnd)) {
864       pcb->snd_wnd = tcphdr->wnd;
865       pcb->snd_wl1 = seqno;
866       pcb->snd_wl2 = ackno;
867       if (pcb->snd_wnd > 0 && pcb->persist_backoff > 0) {
868           pcb->persist_backoff = 0;
869       }
870       LWIP_DEBUGF(TCP_WND_DEBUG, ("tcp_receive: window update %"U16_F"\n", pcb->snd_wnd));
871 #if TCP_WND_DEBUG
872     } else {
873       if (pcb->snd_wnd != tcphdr->wnd) {
874         LWIP_DEBUGF(TCP_WND_DEBUG,
875                     ("tcp_receive: no window update lastack %"U32_F" ackno %"
876                      U32_F" wl1 %"U32_F" seqno %"U32_F" wl2 %"U32_F"\n",
877                      pcb->lastack, ackno, pcb->snd_wl1, seqno, pcb->snd_wl2));
878       }
879 #endif /* TCP_WND_DEBUG */
880     }
881 
882     /* (From Stevens TCP/IP Illustrated Vol II, p970.) Its only a
883      * duplicate ack if:
884      * 1) It doesn't ACK new data
885      * 2) length of received packet is zero (i.e. no payload)
886      * 3) the advertised window hasn't changed
887      * 4) There is outstanding unacknowledged data (retransmission timer running)
888      * 5) The ACK is == biggest ACK sequence number so far seen (snd_una)
889      *
890      * If it passes all five, should process as a dupack:
891      * a) dupacks < 3: do nothing
892      * b) dupacks == 3: fast retransmit
893      * c) dupacks > 3: increase cwnd
894      *
895      * If it only passes 1-3, should reset dupack counter (and add to
896      * stats, which we don't do in lwIP)
897      *
898      * If it only passes 1, should reset dupack counter
899      *
900      */
901 
902     /* Clause 1 */
903     if (TCP_SEQ_LEQ(ackno, pcb->lastack)) {
904       pcb->acked = 0;
905       /* Clause 2 */
906       if (tcplen == 0) {
907         /* Clause 3 */
908         if (pcb->snd_wl2 + pcb->snd_wnd == right_wnd_edge){
909           /* Clause 4 */
910           if (pcb->rtime >= 0) {
911             /* Clause 5 */
912             if (pcb->lastack == ackno) {
913               found_dupack = 1;
914               if (pcb->dupacks + 1 > pcb->dupacks)
915                 ++pcb->dupacks;
916               if (pcb->dupacks > 3) {
917                 /* Inflate the congestion window, but not if it means that
918                    the value overflows. */
919                 if ((u16_t)(pcb->cwnd + pcb->mss) > pcb->cwnd) {
920                   pcb->cwnd += pcb->mss;
921                 }
922               } else if (pcb->dupacks == 3) {
923                 /* Do fast retransmit */
924                 tcp_rexmit_fast(pcb);
925               }
926             }
927           }
928         }
929       }
930       /* If Clause (1) or more is true, but not a duplicate ack, reset
931        * count of consecutive duplicate acks */
932       if (!found_dupack) {
933         pcb->dupacks = 0;
934       }
935     } else if (TCP_SEQ_BETWEEN(ackno, pcb->lastack+1, pcb->snd_nxt)){
936       /* We come here when the ACK acknowledges new data. */
937 
938       /* Reset the "IN Fast Retransmit" flag, since we are no longer
939          in fast retransmit. Also reset the congestion window to the
940          slow start threshold. */
941       if (pcb->flags & TF_INFR) {
942         pcb->flags &= ~TF_INFR;
943         pcb->cwnd = pcb->ssthresh;
944       }
945 
946       /* Reset the number of retransmissions. */
947       pcb->nrtx = 0;
948 
949       /* Reset the retransmission time-out. */
950       pcb->rto = (pcb->sa >> 3) + pcb->sv;
951 
952       /* Update the send buffer space. Diff between the two can never exceed 64K? */
953       pcb->acked = (u16_t)(ackno - pcb->lastack);
954 
955       pcb->snd_buf += pcb->acked;
956 
957       /* Reset the fast retransmit variables. */
958       pcb->dupacks = 0;
959       pcb->lastack = ackno;
960 
961       /* Update the congestion control variables (cwnd and
962          ssthresh). */
963       if (pcb->state >= ESTABLISHED) {
964         if (pcb->cwnd < pcb->ssthresh) {
965           if ((u16_t)(pcb->cwnd + pcb->mss) > pcb->cwnd) {
966             pcb->cwnd += pcb->mss;
967           }
968           LWIP_DEBUGF(TCP_CWND_DEBUG, ("tcp_receive: slow start cwnd %"U16_F"\n", pcb->cwnd));
969         } else {
970           u16_t new_cwnd = (pcb->cwnd + pcb->mss * pcb->mss / pcb->cwnd);
971           if (new_cwnd > pcb->cwnd) {
972             pcb->cwnd = new_cwnd;
973           }
974           LWIP_DEBUGF(TCP_CWND_DEBUG, ("tcp_receive: congestion avoidance cwnd %"U16_F"\n", pcb->cwnd));
975         }
976       }
977       LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_receive: ACK for %"U32_F", unacked->seqno %"U32_F":%"U32_F"\n",
978                                     ackno,
979                                     pcb->unacked != NULL?
980                                     ntohl(pcb->unacked->tcphdr->seqno): 0,
981                                     pcb->unacked != NULL?
982                                     ntohl(pcb->unacked->tcphdr->seqno) + TCP_TCPLEN(pcb->unacked): 0));
983 
984       /* Remove segment from the unacknowledged list if the incoming
985          ACK acknowlegdes them. */
986       while (pcb->unacked != NULL &&
987              TCP_SEQ_LEQ(ntohl(pcb->unacked->tcphdr->seqno) +
988                          TCP_TCPLEN(pcb->unacked), ackno)) {
989         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_receive: removing %"U32_F":%"U32_F" from pcb->unacked\n",
990                                       ntohl(pcb->unacked->tcphdr->seqno),
991                                       ntohl(pcb->unacked->tcphdr->seqno) +
992                                       TCP_TCPLEN(pcb->unacked)));
993 
994         next = pcb->unacked;
995         pcb->unacked = pcb->unacked->next;
996 
997         LWIP_DEBUGF(TCP_QLEN_DEBUG, ("tcp_receive: queuelen %"U16_F" ... ", (u16_t)pcb->snd_queuelen));
998         LWIP_ASSERT("pcb->snd_queuelen >= pbuf_clen(next->p)", (pcb->snd_queuelen >= pbuf_clen(next->p)));
999         /* Prevent ACK for FIN to generate a sent event */
1000         if ((pcb->acked != 0) && ((TCPH_FLAGS(next->tcphdr) & TCP_FIN) != 0)) {
1001           pcb->acked--;
1002         }
1003 
1004         pcb->snd_queuelen -= pbuf_clen(next->p);
1005         tcp_seg_free(next);
1006 
1007         LWIP_DEBUGF(TCP_QLEN_DEBUG, ("%"U16_F" (after freeing unacked)\n", (u16_t)pcb->snd_queuelen));
1008         if (pcb->snd_queuelen != 0) {
1009           LWIP_ASSERT("tcp_receive: valid queue length", pcb->unacked != NULL ||
1010                       pcb->unsent != NULL);
1011         }
1012       }
1013 
1014       /* If there's nothing left to acknowledge, stop the retransmit
1015          timer, otherwise reset it to start again */
1016       if(pcb->unacked == NULL)
1017         pcb->rtime = -1;
1018       else
1019         pcb->rtime = 0;
1020 
1021       pcb->polltmr = 0;
1022     } else {
1023       /* Fix bug bug #21582: out of sequence ACK, didn't really ack anything */
1024       pcb->acked = 0;
1025     }
1026 
1027     /* We go through the ->unsent list to see if any of the segments
1028        on the list are acknowledged by the ACK. This may seem
1029        strange since an "unsent" segment shouldn't be acked. The
1030        rationale is that lwIP puts all outstanding segments on the
1031        ->unsent list after a retransmission, so these segments may
1032        in fact have been sent once. */
1033     while (pcb->unsent != NULL &&
1034            TCP_SEQ_BETWEEN(ackno, ntohl(pcb->unsent->tcphdr->seqno) +
1035                            TCP_TCPLEN(pcb->unsent), pcb->snd_nxt)) {
1036       LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_receive: removing %"U32_F":%"U32_F" from pcb->unsent\n",
1037                                     ntohl(pcb->unsent->tcphdr->seqno), ntohl(pcb->unsent->tcphdr->seqno) +
1038                                     TCP_TCPLEN(pcb->unsent)));
1039 
1040       next = pcb->unsent;
1041       pcb->unsent = pcb->unsent->next;
1042       LWIP_DEBUGF(TCP_QLEN_DEBUG, ("tcp_receive: queuelen %"U16_F" ... ", (u16_t)pcb->snd_queuelen));
1043       LWIP_ASSERT("pcb->snd_queuelen >= pbuf_clen(next->p)", (pcb->snd_queuelen >= pbuf_clen(next->p)));
1044       /* Prevent ACK for FIN to generate a sent event */
1045       if ((pcb->acked != 0) && ((TCPH_FLAGS(next->tcphdr) & TCP_FIN) != 0)) {
1046         pcb->acked--;
1047       }
1048       pcb->snd_queuelen -= pbuf_clen(next->p);
1049       tcp_seg_free(next);
1050       LWIP_DEBUGF(TCP_QLEN_DEBUG, ("%"U16_F" (after freeing unsent)\n", (u16_t)pcb->snd_queuelen));
1051       if (pcb->snd_queuelen != 0) {
1052         LWIP_ASSERT("tcp_receive: valid queue length",
1053           pcb->unacked != NULL || pcb->unsent != NULL);
1054       }
1055     }
1056     /* End of ACK for new data processing. */
1057 
1058     LWIP_DEBUGF(TCP_RTO_DEBUG, ("tcp_receive: pcb->rttest %"U32_F" rtseq %"U32_F" ackno %"U32_F"\n",
1059                                 pcb->rttest, pcb->rtseq, ackno));
1060 
1061     /* RTT estimation calculations. This is done by checking if the
1062        incoming segment acknowledges the segment we use to take a
1063        round-trip time measurement. */
1064     if (pcb->rttest && TCP_SEQ_LT(pcb->rtseq, ackno)) {
1065       /* diff between this shouldn't exceed 32K since this are tcp timer ticks
1066          and a round-trip shouldn't be that long... */
1067       m = (s16_t)(tcp_ticks - pcb->rttest);
1068 
1069       LWIP_DEBUGF(TCP_RTO_DEBUG, ("tcp_receive: experienced rtt %"U16_F" ticks (%"U16_F" msec).\n",
1070                                   m, m * TCP_SLOW_INTERVAL));
1071 
1072       /* This is taken directly from VJs original code in his paper */
1073       m = m - (pcb->sa >> 3);
1074       pcb->sa += m;
1075       if (m < 0) {
1076         m = -m;
1077       }
1078       m = m - (pcb->sv >> 2);
1079       pcb->sv += m;
1080       pcb->rto = (pcb->sa >> 3) + pcb->sv;
1081 
1082       LWIP_DEBUGF(TCP_RTO_DEBUG, ("tcp_receive: RTO %"U16_F" (%"U16_F" milliseconds)\n",
1083                                   pcb->rto, pcb->rto * TCP_SLOW_INTERVAL));
1084 
1085       pcb->rttest = 0;
1086     }
1087   }
1088 
1089   /* If the incoming segment contains data, we must process it
1090      further. */
1091   if (tcplen > 0) {
1092     /* This code basically does three things:
1093 
1094     +) If the incoming segment contains data that is the next
1095     in-sequence data, this data is passed to the application. This
1096     might involve trimming the first edge of the data. The rcv_nxt
1097     variable and the advertised window are adjusted.
1098 
1099     +) If the incoming segment has data that is above the next
1100     sequence number expected (->rcv_nxt), the segment is placed on
1101     the ->ooseq queue. This is done by finding the appropriate
1102     place in the ->ooseq queue (which is ordered by sequence
1103     number) and trim the segment in both ends if needed. An
1104     immediate ACK is sent to indicate that we received an
1105     out-of-sequence segment.
1106 
1107     +) Finally, we check if the first segment on the ->ooseq queue
1108     now is in sequence (i.e., if rcv_nxt >= ooseq->seqno). If
1109     rcv_nxt > ooseq->seqno, we must trim the first edge of the
1110     segment on ->ooseq before we adjust rcv_nxt. The data in the
1111     segments that are now on sequence are chained onto the
1112     incoming segment so that we only need to call the application
1113     once.
1114     */
1115 
1116     /* First, we check if we must trim the first edge. We have to do
1117        this if the sequence number of the incoming segment is less
1118        than rcv_nxt, and the sequence number plus the length of the
1119        segment is larger than rcv_nxt. */
1120     /*    if (TCP_SEQ_LT(seqno, pcb->rcv_nxt)){
1121           if (TCP_SEQ_LT(pcb->rcv_nxt, seqno + tcplen)) {*/
1122     if (TCP_SEQ_BETWEEN(pcb->rcv_nxt, seqno + 1, seqno + tcplen - 1)){
1123       /* Trimming the first edge is done by pushing the payload
1124          pointer in the pbuf downwards. This is somewhat tricky since
1125          we do not want to discard the full contents of the pbuf up to
1126          the new starting point of the data since we have to keep the
1127          TCP header which is present in the first pbuf in the chain.
1128 
1129          What is done is really quite a nasty hack: the first pbuf in
1130          the pbuf chain is pointed to by inseg.p. Since we need to be
1131          able to deallocate the whole pbuf, we cannot change this
1132          inseg.p pointer to point to any of the later pbufs in the
1133          chain. Instead, we point the ->payload pointer in the first
1134          pbuf to data in one of the later pbufs. We also set the
1135          inseg.data pointer to point to the right place. This way, the
1136          ->p pointer will still point to the first pbuf, but the
1137          ->p->payload pointer will point to data in another pbuf.
1138 
1139          After we are done with adjusting the pbuf pointers we must
1140          adjust the ->data pointer in the seg and the segment
1141          length.*/
1142 
1143       off = pcb->rcv_nxt - seqno;
1144       p = inseg.p;
1145       LWIP_ASSERT("inseg.p != NULL", inseg.p);
1146       LWIP_ASSERT("insane offset!", (off < 0x7fff));
1147       if (inseg.p->len < off) {
1148         LWIP_ASSERT("pbuf too short!", (((s32_t)inseg.p->tot_len) >= off));
1149         new_tot_len = (u16_t)(inseg.p->tot_len - off);
1150         while (p->len < off) {
1151           off -= p->len;
1152           /* KJM following line changed (with addition of new_tot_len var)
1153              to fix bug #9076
1154              inseg.p->tot_len -= p->len; */
1155           p->tot_len = new_tot_len;
1156           p->len = 0;
1157           p = p->next;
1158         }
1159         if(pbuf_header(p, (s16_t)-off)) {
1160           /* Do we need to cope with this failing?  Assert for now */
1161           LWIP_ASSERT("pbuf_header failed", 0);
1162         }
1163       } else {
1164         if(pbuf_header(inseg.p, (s16_t)-off)) {
1165           /* Do we need to cope with this failing?  Assert for now */
1166           LWIP_ASSERT("pbuf_header failed", 0);
1167         }
1168       }
1169       inseg.len -= (u16_t)(pcb->rcv_nxt - seqno);
1170       inseg.tcphdr->seqno = seqno = pcb->rcv_nxt;
1171     }
1172     else {
1173       if (TCP_SEQ_LT(seqno, pcb->rcv_nxt)){
1174         /* the whole segment is < rcv_nxt */
1175         /* must be a duplicate of a packet that has already been correctly handled */
1176 
1177         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_receive: duplicate seqno %"U32_F"\n", seqno));
1178         tcp_ack_now(pcb);
1179       }
1180     }
1181 
1182     /* The sequence number must be within the window (above rcv_nxt
1183        and below rcv_nxt + rcv_wnd) in order to be further
1184        processed. */
1185     if (TCP_SEQ_BETWEEN(seqno, pcb->rcv_nxt,
1186                         pcb->rcv_nxt + pcb->rcv_wnd - 1)){
1187       if (pcb->rcv_nxt == seqno) {
1188         /* The incoming segment is the next in sequence. We check if
1189            we have to trim the end of the segment and update rcv_nxt
1190            and pass the data to the application. */
1191         tcplen = TCP_TCPLEN(&inseg);
1192 
1193         if (tcplen > pcb->rcv_wnd) {
1194           LWIP_DEBUGF(TCP_INPUT_DEBUG,
1195                       ("tcp_receive: other end overran receive window"
1196                        "seqno %"U32_F" len %"U16_F" right edge %"U32_F"\n",
1197                        seqno, tcplen, pcb->rcv_nxt + pcb->rcv_wnd));
1198           if (TCPH_FLAGS(inseg.tcphdr) & TCP_FIN) {
1199             /* Must remove the FIN from the header as we're trimming
1200              * that byte of sequence-space from the packet */
1201             TCPH_FLAGS_SET(inseg.tcphdr, TCPH_FLAGS(inseg.tcphdr) &~ TCP_FIN);
1202           }
1203           /* Adjust length of segment to fit in the window. */
1204           inseg.len = pcb->rcv_wnd;
1205           if (TCPH_FLAGS(inseg.tcphdr) & TCP_SYN) {
1206             inseg.len -= 1;
1207           }
1208           pbuf_realloc(inseg.p, inseg.len);
1209           tcplen = TCP_TCPLEN(&inseg);
1210           LWIP_ASSERT("tcp_receive: segment not trimmed correctly to rcv_wnd\n",
1211                       (seqno + tcplen) == (pcb->rcv_nxt + pcb->rcv_wnd));
1212         }
1213 #if TCP_QUEUE_OOSEQ
1214         /* Received in-sequence data, adjust ooseq data if:
1215            - FIN has been received or
1216            - inseq overlaps with ooseq */
1217         if (pcb->ooseq != NULL) {
1218           if (TCPH_FLAGS(inseg.tcphdr) & TCP_FIN) {
1219             LWIP_DEBUGF(TCP_INPUT_DEBUG,
1220                         ("tcp_receive: received in-order FIN, binning ooseq queue\n"));
1221             /* Received in-order FIN means anything that was received
1222              * out of order must now have been received in-order, so
1223              * bin the ooseq queue */
1224             while (pcb->ooseq != NULL) {
1225               struct tcp_seg *old_ooseq = pcb->ooseq;
1226               pcb->ooseq = pcb->ooseq->next;
1227               tcp_seg_free(old_ooseq);
1228             }
1229           }
1230           else {
1231             next = pcb->ooseq;
1232             /* Remove all segments on ooseq that are covered by inseg already.
1233              * FIN is copied from ooseq to inseg if present. */
1234             while (next &&
1235                    TCP_SEQ_GEQ(seqno + tcplen,
1236                                next->tcphdr->seqno + next->len)) {
1237               /* inseg cannot have FIN here (already processed above) */
1238               if (TCPH_FLAGS(next->tcphdr) & TCP_FIN &&
1239                   (TCPH_FLAGS(inseg.tcphdr) & TCP_SYN) == 0) {
1240                 TCPH_SET_FLAG(inseg.tcphdr, TCP_FIN);
1241                 tcplen = TCP_TCPLEN(&inseg);
1242               }
1243               prev = next;
1244               next = next->next;
1245               tcp_seg_free(prev);
1246             }
1247             /* Now trim right side of inseg if it overlaps with the first
1248              * segment on ooseq */
1249             if (next &&
1250                 TCP_SEQ_GT(seqno + tcplen,
1251                            next->tcphdr->seqno)) {
1252               /* inseg cannot have FIN here (already processed above) */
1253               inseg.len = (u16_t)(next->tcphdr->seqno - seqno);
1254               if (TCPH_FLAGS(inseg.tcphdr) & TCP_SYN) {
1255                 inseg.len -= 1;
1256               }
1257               pbuf_realloc(inseg.p, inseg.len);
1258               tcplen = TCP_TCPLEN(&inseg);
1259               LWIP_ASSERT("tcp_receive: segment not trimmed correctly to ooseq queue\n",
1260                           (seqno + tcplen) == next->tcphdr->seqno);
1261             }
1262             pcb->ooseq = next;
1263           }
1264         }
1265 #endif /* TCP_QUEUE_OOSEQ */
1266 
1267         pcb->rcv_nxt = seqno + tcplen;
1268 
1269         /* Update the receiver's (our) window. */
1270         LWIP_ASSERT("tcp_receive: tcplen > rcv_wnd\n", pcb->rcv_wnd >= tcplen);
1271         pcb->rcv_wnd -= tcplen;
1272 
1273         tcp_update_rcv_ann_wnd(pcb);
1274 
1275         /* If there is data in the segment, we make preparations to
1276            pass this up to the application. The ->recv_data variable
1277            is used for holding the pbuf that goes to the
1278            application. The code for reassembling out-of-sequence data
1279            chains its data on this pbuf as well.
1280 
1281            If the segment was a FIN, we set the TF_GOT_FIN flag that will
1282            be used to indicate to the application that the remote side has
1283            closed its end of the connection. */
1284         if (inseg.p->tot_len > 0) {
1285           recv_data = inseg.p;
1286           /* Since this pbuf now is the responsibility of the
1287              application, we delete our reference to it so that we won't
1288              (mistakingly) deallocate it. */
1289           inseg.p = NULL;
1290         }
1291         if (TCPH_FLAGS(inseg.tcphdr) & TCP_FIN) {
1292           LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_receive: received FIN.\n"));
1293           recv_flags |= TF_GOT_FIN;
1294         }
1295 
1296 #if TCP_QUEUE_OOSEQ
1297         /* We now check if we have segments on the ->ooseq queue that
1298            are now in sequence. */
1299         while (pcb->ooseq != NULL &&
1300                pcb->ooseq->tcphdr->seqno == pcb->rcv_nxt) {
1301 
1302           cseg = pcb->ooseq;
1303           seqno = pcb->ooseq->tcphdr->seqno;
1304 
1305           pcb->rcv_nxt += TCP_TCPLEN(cseg);
1306           LWIP_ASSERT("tcp_receive: ooseq tcplen > rcv_wnd\n",
1307                       pcb->rcv_wnd >= TCP_TCPLEN(cseg));
1308           pcb->rcv_wnd -= TCP_TCPLEN(cseg);
1309 
1310           tcp_update_rcv_ann_wnd(pcb);
1311 
1312           if (cseg->p->tot_len > 0) {
1313             /* Chain this pbuf onto the pbuf that we will pass to
1314                the application. */
1315             if (recv_data) {
1316               pbuf_cat(recv_data, cseg->p);
1317             } else {
1318               recv_data = cseg->p;
1319             }
1320             cseg->p = NULL;
1321           }
1322           if (TCPH_FLAGS(cseg->tcphdr) & TCP_FIN) {
1323             LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_receive: dequeued FIN.\n"));
1324             recv_flags |= TF_GOT_FIN;
1325             if (pcb->state == ESTABLISHED) { /* force passive close or we can move to active close */
1326               pcb->state = CLOSE_WAIT;
1327             }
1328           }
1329 
1330           pcb->ooseq = cseg->next;
1331           tcp_seg_free(cseg);
1332         }
1333 #endif /* TCP_QUEUE_OOSEQ */
1334 
1335 
1336         /* Acknowledge the segment(s). */
1337         tcp_ack(pcb);
1338 
1339       } else {
1340         /* We get here if the incoming segment is out-of-sequence. */
1341         tcp_send_empty_ack(pcb);
1342 #if TCP_QUEUE_OOSEQ
1343         /* We queue the segment on the ->ooseq queue. */
1344         if (pcb->ooseq == NULL) {
1345           pcb->ooseq = tcp_seg_copy(&inseg);
1346         } else {
1347           /* If the queue is not empty, we walk through the queue and
1348              try to find a place where the sequence number of the
1349              incoming segment is between the sequence numbers of the
1350              previous and the next segment on the ->ooseq queue. That is
1351              the place where we put the incoming segment. If needed, we
1352              trim the second edges of the previous and the incoming
1353              segment so that it will fit into the sequence.
1354 
1355              If the incoming segment has the same sequence number as a
1356              segment on the ->ooseq queue, we discard the segment that
1357              contains less data. */
1358 
1359           prev = NULL;
1360           for(next = pcb->ooseq; next != NULL; next = next->next) {
1361             if (seqno == next->tcphdr->seqno) {
1362               /* The sequence number of the incoming segment is the
1363                  same as the sequence number of the segment on
1364                  ->ooseq. We check the lengths to see which one to
1365                  discard. */
1366               if (inseg.len > next->len) {
1367                 /* The incoming segment is larger than the old
1368                    segment. We replace some segments with the new
1369                    one. */
1370                 cseg = tcp_seg_copy(&inseg);
1371                 if (cseg != NULL) {
1372                   if (prev != NULL) {
1373                     prev->next = cseg;
1374                   } else {
1375                     pcb->ooseq = cseg;
1376                   }
1377                   tcp_oos_insert_segment(cseg, next);
1378                 }
1379                 break;
1380               } else {
1381                 /* Either the lenghts are the same or the incoming
1382                    segment was smaller than the old one; in either
1383                    case, we ditch the incoming segment. */
1384                 break;
1385               }
1386             } else {
1387               if (prev == NULL) {
1388                 if (TCP_SEQ_LT(seqno, next->tcphdr->seqno)) {
1389                   /* The sequence number of the incoming segment is lower
1390                      than the sequence number of the first segment on the
1391                      queue. We put the incoming segment first on the
1392                      queue. */
1393                   cseg = tcp_seg_copy(&inseg);
1394                   if (cseg != NULL) {
1395                     pcb->ooseq = cseg;
1396                     tcp_oos_insert_segment(cseg, next);
1397                   }
1398                   break;
1399                 }
1400               } else {
1401                 /*if (TCP_SEQ_LT(prev->tcphdr->seqno, seqno) &&
1402                   TCP_SEQ_LT(seqno, next->tcphdr->seqno)) {*/
1403                 if (TCP_SEQ_BETWEEN(seqno, prev->tcphdr->seqno+1, next->tcphdr->seqno-1)) {
1404                   /* The sequence number of the incoming segment is in
1405                      between the sequence numbers of the previous and
1406                      the next segment on ->ooseq. We trim trim the previous
1407                      segment, delete next segments that included in received segment
1408                      and trim received, if needed. */
1409                   cseg = tcp_seg_copy(&inseg);
1410                   if (cseg != NULL) {
1411                     if (TCP_SEQ_GT(prev->tcphdr->seqno + prev->len, seqno)) {
1412                       /* We need to trim the prev segment. */
1413                       prev->len = (u16_t)(seqno - prev->tcphdr->seqno);
1414                       pbuf_realloc(prev->p, prev->len);
1415                     }
1416                     prev->next = cseg;
1417                     tcp_oos_insert_segment(cseg, next);
1418                   }
1419                   break;
1420                 }
1421               }
1422               /* If the "next" segment is the last segment on the
1423                  ooseq queue, we add the incoming segment to the end
1424                  of the list. */
1425               if (next->next == NULL &&
1426                   TCP_SEQ_GT(seqno, next->tcphdr->seqno)) {
1427                 if (TCPH_FLAGS(next->tcphdr) & TCP_FIN) {
1428                   /* segment "next" already contains all data */
1429                   break;
1430                 }
1431                 next->next = tcp_seg_copy(&inseg);
1432                 if (next->next != NULL) {
1433                   if (TCP_SEQ_GT(next->tcphdr->seqno + next->len, seqno)) {
1434                     /* We need to trim the last segment. */
1435                     next->len = (u16_t)(seqno - next->tcphdr->seqno);
1436                     pbuf_realloc(next->p, next->len);
1437                   }
1438                   /* check if the remote side overruns our receive window */
1439                   if ((u32_t)tcplen + seqno > pcb->rcv_nxt + (u32_t)pcb->rcv_wnd) {
1440                     LWIP_DEBUGF(TCP_INPUT_DEBUG,
1441                                 ("tcp_receive: other end overran receive window"
1442                                  "seqno %"U32_F" len %"U16_F" right edge %"U32_F"\n",
1443                                  seqno, tcplen, pcb->rcv_nxt + pcb->rcv_wnd));
1444                     if (TCPH_FLAGS(next->next->tcphdr) & TCP_FIN) {
1445                       /* Must remove the FIN from the header as we're trimming
1446                        * that byte of sequence-space from the packet */
1447                       TCPH_FLAGS_SET(next->next->tcphdr, TCPH_FLAGS(next->next->tcphdr) &~ TCP_FIN);
1448                     }
1449                     /* Adjust length of segment to fit in the window. */
1450                     next->next->len = pcb->rcv_nxt + pcb->rcv_wnd - seqno;
1451                     pbuf_realloc(next->next->p, next->next->len);
1452                     tcplen = TCP_TCPLEN(next->next);
1453                     LWIP_ASSERT("tcp_receive: segment not trimmed correctly to rcv_wnd\n",
1454                                 (seqno + tcplen) == (pcb->rcv_nxt + pcb->rcv_wnd));
1455                   }
1456                 }
1457                 break;
1458               }
1459             }
1460             prev = next;
1461           }
1462         }
1463 #endif /* TCP_QUEUE_OOSEQ */
1464 
1465       }
1466     } else {
1467       /* The incoming segment is not withing the window. */
1468       tcp_send_empty_ack(pcb);
1469     }
1470   } else {
1471     /* Segments with length 0 is taken care of here. Segments that
1472        fall out of the window are ACKed. */
1473     /*if (TCP_SEQ_GT(pcb->rcv_nxt, seqno) ||
1474       TCP_SEQ_GEQ(seqno, pcb->rcv_nxt + pcb->rcv_wnd)) {*/
1475     if(!TCP_SEQ_BETWEEN(seqno, pcb->rcv_nxt, pcb->rcv_nxt + pcb->rcv_wnd-1)){
1476       tcp_ack_now(pcb);
1477     }
1478   }
1479 }
1480 
1481 /**
1482  * Parses the options contained in the incoming segment.
1483  *
1484  * Called from tcp_listen_input() and tcp_process().
1485  * Currently, only the MSS option is supported!
1486  *
1487  * @param pcb the tcp_pcb for which a segment arrived
1488  */
1489 static void
tcp_parseopt(struct tcp_pcb * pcb)1490 tcp_parseopt(struct tcp_pcb *pcb)
1491 {
1492   u16_t c, max_c;
1493   u16_t mss;
1494   u8_t *opts, opt;
1495 #if LWIP_TCP_TIMESTAMPS
1496   u32_t tsval;
1497 #endif
1498 
1499   opts = (u8_t *)tcphdr + TCP_HLEN;
1500 
1501   /* Parse the TCP MSS option, if present. */
1502   if(TCPH_HDRLEN(tcphdr) > 0x5) {
1503     max_c = (TCPH_HDRLEN(tcphdr) - 5) << 2;
1504     for (c = 0; c < max_c; ) {
1505       opt = opts[c];
1506       switch (opt) {
1507       case 0x00:
1508         /* End of options. */
1509         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: EOL\n"));
1510         return;
1511       case 0x01:
1512         /* NOP option. */
1513         ++c;
1514         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: NOP\n"));
1515         break;
1516       case 0x02:
1517         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: MSS\n"));
1518         if (opts[c + 1] != 0x04 || c + 0x04 > max_c) {
1519           /* Bad length */
1520           LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: bad length\n"));
1521           return;
1522         }
1523         /* An MSS option with the right option length. */
1524         mss = (opts[c + 2] << 8) | opts[c + 3];
1525         /* Limit the mss to the configured TCP_MSS and prevent division by zero */
1526         pcb->mss = ((mss > TCP_MSS) || (mss == 0)) ? TCP_MSS : mss;
1527         /* Advance to next option */
1528         c += 0x04;
1529         break;
1530 #if LWIP_TCP_TIMESTAMPS
1531       case 0x08:
1532         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: TS\n"));
1533         if (opts[c + 1] != 0x0A || c + 0x0A > max_c) {
1534           /* Bad length */
1535           LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: bad length\n"));
1536           return;
1537         }
1538         /* TCP timestamp option with valid length */
1539         tsval = (opts[c+2]) | (opts[c+3] << 8) |
1540           (opts[c+4] << 16) | (opts[c+5] << 24);
1541         if (flags & TCP_SYN) {
1542           pcb->ts_recent = ntohl(tsval);
1543           pcb->flags |= TF_TIMESTAMP;
1544         } else if (TCP_SEQ_BETWEEN(pcb->ts_lastacksent, seqno, seqno+tcplen)) {
1545           pcb->ts_recent = ntohl(tsval);
1546         }
1547         /* Advance to next option */
1548         c += 0x0A;
1549         break;
1550 #endif
1551       default:
1552         LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: other\n"));
1553         if (opts[c + 1] == 0) {
1554           LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: bad length\n"));
1555           /* If the length field is zero, the options are malformed
1556              and we don't process them further. */
1557           return;
1558         }
1559         /* All other options have a length field, so that we easily
1560            can skip past them. */
1561         c += opts[c + 1];
1562       }
1563     }
1564   }
1565 }
1566 
1567 #endif /* LWIP_TCP */
1568