Addressed review

danielinux · danielinux · commit a77fe9d3d06a · 2026-03-30T18:27:15.000+02:00
ICMP hard errors were closing TCP established connections.
Also fix/split test case.
diff --git a/src/test/unit/unit.c b/src/test/unit/unit.c
@@ -696,9 +696,10 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_proto, test_icmp_input_echo_request_ip_filter_drop);
     tcase_add_test(tc_proto, test_icmp_input_echo_request_eth_filter_drop);
     tcase_add_test(tc_proto, test_icmp_input_filter_drop_receiving);
-    tcase_add_test(tc_proto, test_icmp_input_dest_unreach_port_unreachable_closes_matching_tcp_socket);
+    tcase_add_test(tc_proto, test_icmp_input_dest_unreach_port_unreachable_keeps_established_tcp_socket);
     tcase_add_test(tc_proto, test_icmp_input_dest_unreach_frag_needed_reduces_tcp_peer_mss);
-    tcase_add_test(tc_proto, test_icmp_input_dest_unreach_port_unreachable_quoted_ip_options_match_tcp_socket);
+    tcase_add_test(tc_proto, test_icmp_input_dest_unreach_port_unreachable_closes_syn_sent_tcp_socket);
+    tcase_add_test(tc_proto, test_icmp_input_dest_unreach_port_unreachable_quoted_ip_options_keep_established_tcp_socket);
     tcase_add_test(tc_proto, test_udp_sendto_and_recvfrom);
     tcase_add_test(tc_proto, test_udp_sendto_respects_mtu_api);
     tcase_add_test(tc_proto, test_udp_recvfrom_sets_remote_ip);
diff --git a/src/test/unit/unit_tests_dns_dhcp.c b/src/test/unit/unit_tests_dns_dhcp.c
@@ -2038,7 +2038,7 @@ START_TEST(test_icmp_input_filter_drop_receiving)
 }
 END_TEST
 
-START_TEST(test_icmp_input_dest_unreach_port_unreachable_closes_matching_tcp_socket)
+START_TEST(test_icmp_input_dest_unreach_port_unreachable_keeps_established_tcp_socket)
 {
     struct wolfIP s;
     struct tsocket *ts;
@@ -2084,7 +2084,8 @@ START_TEST(test_icmp_input_dest_unreach_port_unreachable_closes_matching_tcp_soc
 
     icmp_input(&s, TEST_PRIMARY_IF, (struct wolfIP_ip_packet *)&icmp, frame_len);
 
-    ck_assert_uint_eq(ts->proto, 0U);
+    ck_assert_uint_eq(ts->proto, WI_IPPROTO_TCP);
+    ck_assert_int_eq(ts->sock.tcp.state, TCP_ESTABLISHED);
 }
 END_TEST
 
@@ -2142,7 +2143,57 @@ START_TEST(test_icmp_input_dest_unreach_frag_needed_reduces_tcp_peer_mss)
 }
 END_TEST
 
-START_TEST(test_icmp_input_dest_unreach_port_unreachable_quoted_ip_options_match_tcp_socket)
+START_TEST(test_icmp_input_dest_unreach_port_unreachable_closes_syn_sent_tcp_socket)
+{
+    struct wolfIP s;
+    struct tsocket *ts;
+    struct wolfIP_icmp_dest_unreachable_packet icmp;
+    struct wolfIP_tcp_wire_prefix *orig;
+    uint32_t frame_len;
+
+    wolfIP_init(&s);
+    mock_link_init(&s);
+    wolfIP_ipconfig_set(&s, 0x0A000001U, 0xFFFFFF00U, 0);
+
+    ts = &s.tcpsockets[0];
+    memset(ts, 0, sizeof(*ts));
+    ts->proto = WI_IPPROTO_TCP;
+    ts->S = &s;
+    ts->sock.tcp.state = TCP_SYN_SENT;
+    ts->local_ip = 0x0A000001U;
+    ts->remote_ip = 0x0A000002U;
+    ts->src_port = 1234;
+    ts->dst_port = 4321;
+
+    memset(&icmp, 0, sizeof(icmp));
+    icmp.ip.src = ee32(0x0A0000FEU);
+    icmp.ip.dst = ee32(ts->local_ip);
+    icmp.ip.ttl = 64;
+    icmp.ip.proto = WI_IPPROTO_ICMP;
+    icmp.ip.len = ee16(IP_HEADER_LEN + ICMP_DEST_UNREACH_SIZE);
+    icmp.type = ICMP_DEST_UNREACH;
+    icmp.code = ICMP_PORT_UNREACH;
+
+    orig = (struct wolfIP_tcp_wire_prefix *)icmp.orig_packet;
+    orig->ip.ver_ihl = 0x45;
+    orig->ip.proto = WI_IPPROTO_TCP;
+    orig->ip.src = ee32(ts->local_ip);
+    orig->ip.dst = ee32(ts->remote_ip);
+    orig->ip.len = ee16(IP_HEADER_LEN + 8U);
+    orig->src_port = ee16(ts->src_port);
+    orig->dst_port = ee16(ts->dst_port);
+
+    icmp.csum = ee16(icmp_checksum((struct wolfIP_icmp_packet *)&icmp,
+                ICMP_DEST_UNREACH_SIZE));
+    frame_len = (uint32_t)(ETH_HEADER_LEN + IP_HEADER_LEN + ICMP_DEST_UNREACH_SIZE);
+
+    icmp_input(&s, TEST_PRIMARY_IF, (struct wolfIP_ip_packet *)&icmp, frame_len);
+
+    ck_assert_uint_eq(ts->proto, 0U);
+}
+END_TEST
+
+START_TEST(test_icmp_input_dest_unreach_port_unreachable_quoted_ip_options_keep_established_tcp_socket)
 {
     struct wolfIP s;
     struct tsocket *ts;
@@ -2197,7 +2248,8 @@ START_TEST(test_icmp_input_dest_unreach_port_unreachable_quoted_ip_options_match
 
     icmp_input(&s, TEST_PRIMARY_IF, (struct wolfIP_ip_packet *)icmp, frame_len);
 
-    ck_assert_uint_eq(ts->proto, 0U);
+    ck_assert_uint_eq(ts->proto, WI_IPPROTO_TCP);
+    ck_assert_int_eq(ts->sock.tcp.state, TCP_ESTABLISHED);
 }
 END_TEST
 
diff --git a/src/wolfip.c b/src/wolfip.c
@@ -2043,7 +2043,9 @@ static void icmp_try_deliver_tcp_error(struct wolfIP *s,
                 }
             } else if (icmp->code == ICMP_PROT_UNREACH ||
                     icmp->code == ICMP_PORT_UNREACH) {
-                close_socket(t);
+                if (t->sock.tcp.state == TCP_SYN_SENT ||
+                        t->sock.tcp.state == TCP_SYN_RCVD)
+                    close_socket(t);
             }
         }
         break;

Original file line number	Diff line number	Diff line change
`@@ -2043,7 +2043,9 @@ static void icmp_try_deliver_tcp_error(struct wolfIP *s,`
`2043`	`2043`	`}`
`2044`	`2044`	`} else if (icmp->code == ICMP_PROT_UNREACH \|\|`
`2045`	`2045`	`icmp->code == ICMP_PORT_UNREACH) {`
`2046`		`- close_socket(t);`
	`2046`	`+ if (t->sock.tcp.state == TCP_SYN_SENT \|\|`
	`2047`	`+ t->sock.tcp.state == TCP_SYN_RCVD)`
	`2048`	`+ close_socket(t);`
`2047`	`2049`	`}`
`2048`	`2050`	`}`
`2049`	`2051`	`break;`