|
| From: | Simon Goldschmidt |
| Subject: | [lwip-devel] [bug #23847] do_close_internal references freed memory |
| Date: | Mon, 14 Jul 2008 19:56:23 +0000 |
| User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0 |
URL:
<http://savannah.nongnu.org/bugs/?23847>
Summary: do_close_internal references freed memory
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: goldsimon
Submitted on: Montag 14.07.2008 um 19:56
Category: TCP
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: In Progress
Privacy: Public
Assigned to: goldsimon
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: CVS Head
_______________________________________________________
Details:
As found by marc walrave on lwip-users:
"I have some problems closing a listening tcp socket in some test code
(using lwip 1.3.0)
I traced the problem to the do_close_internal function (from api_msg.c)
do_close_internal internally :-) calls tcp_close
Depending on the pcb state tcp_close potentially frees the pcb of the
netconn struct (via memp_free) for which do_close_internal was called
(tcp_close then returns ERR_OK).
Now after the tcp_close function returns dl_close_internal still
references the pcb pointer as if it was NOT freed?
The problem triggered memory corruption on my target beacuse the
listening socket is equipped with a smaller pcb (via
tcp_listen_with_backlog)
And the do_close_internal function incorrectly calls the tcp_poll
function on this tiny pcb leading to problems which are fortunately
detected by the MEMP_OVERFLOW_CHECK code."
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?23847>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |