[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #17645] pbuf_header() corrupts pbuf chain if header_si
|
From: |
anonymous |
|
Subject: |
[lwip-devel] [bug #17645] pbuf_header() corrupts pbuf chain if header_size_increment is out of payload range |
|
Date: |
Fri, 8 Sep 2006 08:28:52 +0000 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 |
URL:
<http://savannah.nongnu.org/bugs/?17645>
Summary: pbuf_header() corrupts pbuf chain if
header_size_increment is out of payload range
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: None
Submitted on: Freitag 08.09.2006 um 08:28 UTC
Category: pbufs
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
_______________________________________________________
Details:
If you allocate a pbuf chain and you call pbuf_header(pbuf, inc) with 'inc' >
than 'len' of the first pbuf, the first pbuf in the chain will get corrupted
('payload' points to a region after the original data which does not belong
to the 'packet'); the second pbuf will remain untouched. Also, 'tot_len' will
be OK while 'len' of the first pbuf will get negative (and since len is an
u16_t, it will be around 65530...)
Possible solution: check the header_size_increment parameter against the len
value of the given pbuf before doing anything!
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?17645>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #17645] pbuf_header() corrupts pbuf chain if header_size_increment is out of payload range,
anonymous <=