|
| From: | Art R. |
| Subject: | [lwip-devel] [bug #23693] tcp_receive does not handle 'no more segs available' from tcp_seg_copy |
| Date: | Tue, 24 Jun 2008 14:40:19 +0000 |
| User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 |
URL:
<http://savannah.nongnu.org/bugs/?23693>
Summary: tcp_receive does not handle 'no more segs
available' from tcp_seg_copy
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: tdir
Submitted on: Tuesday 06/24/2008 at 14:40
Category: TCP
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: 1.3.0
_______________________________________________________
Details:
The function tcp_receive() in tcp_in.c can fail by dereferencing a NULL
pointer if the seg pool has no more available segs. The code calls
tcp_seg_copy() to get a seg but does not properly handle the case where a NULL
result is returned (indicating there are no more available segs).
The correction would be to check the return value from tcp_seg_copy() and do
nothing if no seg is obtained. The code currently does this partially but can
still attempt to deref a NULL ptr. Doing so will probably crash the stack.
Relevant code (from tcp_in.c at about line 1190)
cseg = tcp_seg_copy(&inseg);
if (cseg != NULL) {
cseg->next = next->next;
if (prev != NULL) {
prev->next = cseg;
} else {
pcb->ooseq = cseg;
}
}
tcp_seg_free(next);
if (cseg->next != NULL) { // cseg may be NULL
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?23693>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |