[lwip-devel] [patch #5796] pbuf_alloc: len field claculation causes memory corruption

[Simon Goldschmidt]

URL:
  <http://savannah.nongnu.org/patch/?5796>

                 Summary: pbuf_alloc: len field claculation causes memory
corruption
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: goldsimon
            Submitted on: Sonntag 11.03.2007 um 17:15
                Category: None
                Priority: 7 - High
                  Status: In Progress
                 Privacy: Public
             Assigned to: goldsimon
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

When calling

pbuf_alloc(PBUF_LINK, size, PBUF_POOL)

with size > PBUF_POOL_BUFSIZE and if PBUF_LINK_HLEN is not a multiple of
MEM_ALIGNMENT, the calculation of the 'len' field results in the pbuf being
longer than its actual payload:

original code (offset is too small -> len is too long):

p->len = length > PBUF_POOL_BUFSIZE - offset? PBUF_POOL_BUFSIZE - offset:
length;

patch:

p->len = length > PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset)?
PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset): length;

This still relies on struct pbuf being a multiple of MEM_ALIGNMENT (which it
may or may not be), so I also added an assert statement for this in
pbuf_init().

If noone object, I'll check it in.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Sonntag 11.03.2007 um 17:15  Name: pbuf_pool_smallchunks.patch  Size:
1kB   By: goldsimon

<http://savannah.nongnu.org/patch/download.php?file_id=12172>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/patch/?5796>

_______________________________________________
  Nachricht geschickt von/durch Savannah
  http://savannah.nongnu.org/