[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] tcp_receive can try to deref a NULL pointer
From: |
Art R. |
Subject: |
[lwip-devel] tcp_receive can try to deref a NULL pointer |
Date: |
Mon, 23 Jun 2008 10:57:02 -0700 (PDT) |
in tcp_in.c at about lines 1190-1200
cseg = tcp_seg_copy(&inseg);
if (cseg != NULL) {
cseg->next = next->next;
if (prev != NULL) {
prev->next = cseg;
} else {
pcb->ooseq = cseg;
}
}
tcp_seg_free(next);
if (cseg->next != NULL) {
The implementation of tcp_seg_copy() includes this bit to do the allocation:
cseg = memp_malloc(MEMP_TCP_SEG);
if (cseg == NULL) {
return NULL;
}
The tcp_seg_copy() returns a NULL pointer if the seg pool is exhausted. (We
have observed this - if the sender fails to receive ACKs.)
The if (cseg->next) would then try to dereference a NULL pointer.
Probably the code should just skip over the whole attempt to insert the new
pkt if it is unable to get a seg (if memp_malloc() returns a NULL)?
Thanks,
Art R.
--
View this message in context:
http://www.nabble.com/tcp_receive-can-try-to-deref-a-NULL-pointer-tp18074665p18074665.html
Sent from the lwip-devel mailing list archive at Nabble.com.
- [lwip-devel] tcp_receive can try to deref a NULL pointer,
Art R. <=