[lwip-devel] [patch #3796] api_lib.c: patch for netconn_write(), fixes a possible race condition

[Dmitry Potapov]

Follow-up Comment #6, patch #3796 (project lwip):

The current code of netconn_write certainly has a bug. Of course, the real
solution would be to move some part of netconn_write to TCP/IP thread, but it
is not easy and requires a lot of changes.

I believe the proposed patch does solve the problem for most cases.
Unfortunately, the explanation provided by the author of the patch is a bit
difficult to follow.

The problem is in the following lines:

      if (size > tcp_sndbuf(conn->pcb.tcp)) {
  /* We cannot send more than one send buffer's worth of data at a
     time. */
  len = tcp_sndbuf(conn->pcb.tcp);
      } else {
  len = size; 
      }

If the value of tcp_sndbuf(conn->pcb.tcp) is changed between verifying the
condition and assigment to `len' then `len' can have value larger than size!
So netconn_write will send some garbage. After that,  size -= len; will cause
overflow of `size', so it will continue to send even more garbage. So 64Kb of
garbage will be sent.

The solution proposed by the author of the patch is simple -- to evaluate
tcp_sndbuf(conn->pcb.tcp) expression only once and to keep it in a local
variable, which is always good thing to do, because it reduces size of the
code and increases speed.

So I will recommend to apply this patch now, because more perfect solution
may take some to be developed and the current patch will solve problems for
most users.

Of course, the semaphore related stuff is no longer needed, so I remove it in
a newly attached version.

(file #12149)
    _______________________________________________________

Additional Item Attachment:

File name: netconn_write-2.patch          Size:1 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/patch/?3796>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/