Rfc compliance

[danielinux]

• f6aa529: Correctly parse ACK in TCP_CLOSING (F/689)
• 7f908bf: Send RST for unmatched segments (F/690)
• 9366582: UDP: send ICMP port unreachable for closed UDP port (F/694)
• 649cfb5: IHL > 5: discard options but correctly receive packet (F/695)
• 4502d00: icmp_input: discard packets with bad checksum (F/693)
• 37eaa64: Do not send ttl_exceeded on locally-destined TCP packets (F/697)
• d1307b4: UDP: validate minimum len (F/698)
• f7263c9: DHCP offer and ACK: validate xid (F/692)

[Copilot]

Pull request overview

This PR improves RFC compliance across wolfIP’s IPv4/TCP/UDP/ICMP/DHCP handling, adding stricter validation and generating appropriate control/error responses.

Changes:

• Add ICMP validation and generation updates (checksum verification; ICMP Port Unreachable for closed UDP ports).
• Improve TCP compliance (ACK handling in TCP_CLOSING; send RST for unmatched segments; avoid TTL-exceeded generation for locally-destined TCP).
• Handle IPv4 options by discarding them for local delivery while still accepting the packet; tighten length/checksum validations (including DHCP XID validation).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
src/wolfip.c	Implements RFC-driven behavior changes across ICMP/UDP/TCP and adds IPv4 option stripping + stronger header validation.
src/test/unit/unit.c	Adds/updates unit tests to cover new checksum validation, UDP unreachable behavior, TCP RST behavior, DHCP XID checks, and IP options delivery.

Comments suppressed due to low confidence (1)

src/wolfip.c:5752

• ip_recv forwarding is now enabled for IPv4 packets with IHL > 5 (options). In the TTL-expired forwarding path, wolfIP_send_ttl_exceeded() snapshots a fixed 28 bytes of the original packet (assumes a 20-byte IP header + 8 bytes payload). For packets with IP options, RFC 792 requires including the entire original IP header (including options) plus 8 bytes of payload, so the current fixed-size snapshot will truncate the header. Either keep forwarding limited to IHL==5, or increase TTL_EXCEEDED_ORIG_PACKET_SIZE and copy min(total_len, ip_hlen+8) so ICMP errors remain compliant for option-bearing packets.

    if (version == 4 && ip_hlen >= IP_HEADER_LEN) {
        ip4 dest = ee32(ip->dst);
        int is_local = 0;
        if (dest == IPADDR_ANY || IS_IP_BCAST(dest)) {
            is_local = 1;
        } else {
            for (i = 0; i < s->if_count; i++) {
                struct ipconf *conf = &s->ipconf[i];
                if (!conf || conf->ip == IPADDR_ANY)
                    continue;
                if (conf->ip == dest) {
                    is_local = 1;
                    break;
                }
            }
        }
        if (!is_local) {
            int out_if = wolfIP_forward_interface(s, if_idx, dest);
            if (out_if >= 0) {
                uint8_t mac[6];
                int broadcast = 0;

                if (ip->ttl <= 1) {
                    /* Need at least Ethernet header + 28 bytes of original packet. */
                    if (len < (uint32_t)(ETH_HEADER_LEN + TTL_EXCEEDED_ORIG_PACKET_SIZE))
                        return;
                    wolfIP_send_ttl_exceeded(s, if_idx, ip);
                    return;

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.