[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #20237] pbuf memory corruption
|
From: |
Spark Jon |
|
Subject: |
[lwip-devel] [bug #20237] pbuf memory corruption |
|
Date: |
Fri, 22 Jun 2007 08:48:38 +0000 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.11 |
URL:
<http://savannah.nongnu.org/bugs/?20237>
Summary: pbuf memory corruption
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: sparkjon
Submitted on: Friday 06/22/2007 at 08:48
Category: pbufs
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
pbuf.c - pbuf_alloc()
The pbuf corrupts the next pbuf under the following conditions,
1. If the p->payload been aligned and moved.
p->payload = MEM_ALIGN((void *)((u8_t *)p + (sizeof(struct pbuf) +
offset)));
2. length > PBUF_POOL_BUFSIZE - offset
p->len = length > PBUF_POOL_BUFSIZE - offset ?
PBUF_POOL_BUFSIZE - offset : length;
The following code fragment fixed the alignment problem which cause the
p->payload + p->len over the range of pbuf, and the later data write to
p->payload address with p->len will overwrite the p->next value.
/* set the length of the first pbuf in the chain */
pbuf_end = (u32)p + sizeof(struct pbuf) + PBUF_POOL_BUFSIZE;
p->len = length > pbuf_end - (u32)p->payload ? pbuf_end - (u32)p->payload :
length;
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?20237>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #20237] pbuf memory corruption,
Spark Jon <=