lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bugs #9160] MEM_ALIGN_SIZE used incorrectly in pbuf_alloc

From: Kieran Mansley
Subject: [lwip-devel] [bugs #9160] MEM_ALIGN_SIZE used incorrectly in pbuf_alloc
Date: Sun, 30 May 2004 10:10:44 -0400
User-agent: Opera/7.11 (Linux 2.4.20-28.9 i686; U) [en] 
This mail is an automated notification from the bugs tracker
 of the project: lwIP - A Lightweight TCP/IP stack.

/**************************************************************************/
[bugs #9160] Latest Modifications:

Changes by: 
                Kieran Mansley <address@hidden>
'Date: 
                Sun 05/30/04 at 14:09 (Europe/London)

            What     | Removed                   | Added
---------------------------------------------------------------------------
          Resolution | None                      | Fixed
              Status | Open                      | Closed


------------------ Additional Follow-up Comments ----------------------------
Recommendation from original submission applied, but we should keep an eye on 
this as I'm not entirely sure that it's a complete fix.  My doubts stem from 
whether the base of the pbuf payload (p + sizeof(struct pbuf)), or the initial 
payload pointer (p->payload) should be aligned.






/**************************************************************************/
[bugs #9160] Full Item Snapshot:

URL: <http://savannah.nongnu.org/bugs/?func=detailitem&item_id=9160>
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: Kieran Mansley
On: Sun 05/30/04 at 14:00

Category:  pbufs
Severity:  3 - Ordinary
Item Group:  Faulty Behaviour
Resolution:  Fixed
Assigned to:  kieranm
Status:  Closed


Summary:  MEM_ALIGN_SIZE used incorrectly in pbuf_alloc

Original Submission:  
We are trying to get lwip to run on our Arm-7 board; however we are
experiencing occasional memory overwrites, and we think that we have tracked
the problem down to a bug in pbuf_alloc(). We use 4 byte alignment (so
MEM_ALIGNMENT is 4).

In pbuf_alloc() we find the following code fragment:

> p = mem_malloc(MEM_ALIGN_SIZE(sizeof(struct pbuf) + length + offset));
> ...
> p->payload = MEM_ALIGN((void *)((u8_t *)p + sizeof(struct pbuf) +
offset));

"sizeof(struct pbuf)" is 16, and offset in this case is 20+20+6 = 46

When "length" is 21, "sizeof(struct pbuf) + length + offset" becomes 83
which gets (correctly) rounded up by MEM_ALIGN_SIZE to 84.

Then "p + sizeof(struct pbuf) + offset" becomes p+62, and since p is already
allocated on an alignment boundary this gets (correctly) rounded up by
MEM_ALIGN to p+64.

However now "p->payload" points at the 64'th byte in a 84 byte buffer, and
that does not leave room enough for the 21 bytes of payload (length) that we
asked for. A short time later in the code we will get a memory overwrite.


Follow-up Comments
------------------


-------------------------------------------------------
Date: Sun 05/30/04 at 14:09         By: kieranm
Recommendation from original submission applied, but we should keep an eye on 
this as I'm not entirely sure that it's a complete fix.  My doubts stem from 
whether the base of the pbuf payload (p + sizeof(struct pbuf)), or the initial 
payload pointer (p->payload) should be aligned.












For detailed info, follow this link:
<http://savannah.nongnu.org/bugs/?func=detailitem&item_id=9160>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]