This is an old thread, but I have run into the same problem. I found this thread by searching for the name of the function udp_return_req2socket_from_rx_queue()
In my case, I'm using the MQX 4.2 TFTP client, and not writing my own socket handling code. The remote TFTP server on the other end of the transfer is also running MQX 4.2. I'm able to "get" files successfully, but the "TFTPCLN task" consistently crashes when trying to "put" a file to the remote system.
I have tracked it down to this function. The TFTP client task sends a request to start the transfer, and then calls tftp_recv_ack() to receive an acknowledgment packet. It passes in a pointer to a 4-byte packet, and an expected length of 4. This read request passes through the UDP and TCP stacks, and eventually ends up inside udp_return_req2socket_from_rx_queue() where it is processing a 25 byte datagram that it has received. It crams the 25 bytes from the datagram into the 4 byte buffer, blowing away the data that is allocated after that buffer and corrupting memory.
Things are still running, and eventually the TFTP client tries to send the first data packet. To do this, it starts building a datagram by poking the TFTP_OPCODE_DATA value into the transmit buffer. But the pointer to that buffer is part of the data that got clobbered by the previous receive data overrun, so that pointer address is no longer valid and processor generates a hard fault. The system is now dead.
I find it curious that that the length of the data buffer to receive a datagram is passed into udp_return_req2socket_from_rx_queue(), but the function does not honor it. Instead, it writes the whole datagram into the receive buffer and clobbers memory.
I have tried Eugene Ryabtsev's change, and it seems to work. Hopefully this isn't introducing other issues.
