|
From: | Simon Goldschmidt |
Subject: | [lwip-devel] [bug #23847] do_close_internal references freed memory |
Date: | Mon, 14 Jul 2008 19:56:23 +0000 |
User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0 |
URL: <http://savannah.nongnu.org/bugs/?23847> Summary: do_close_internal references freed memory Project: lwIP - A Lightweight TCP/IP stack Submitted by: goldsimon Submitted on: Montag 14.07.2008 um 19:56 Category: TCP Severity: 3 - Normal Item Group: Faulty Behaviour Status: In Progress Privacy: Public Assigned to: goldsimon Open/Closed: Open Discussion Lock: Any Planned Release: lwIP version: CVS Head _______________________________________________________ Details: As found by marc walrave on lwip-users: "I have some problems closing a listening tcp socket in some test code (using lwip 1.3.0) I traced the problem to the do_close_internal function (from api_msg.c) do_close_internal internally :-) calls tcp_close Depending on the pcb state tcp_close potentially frees the pcb of the netconn struct (via memp_free) for which do_close_internal was called (tcp_close then returns ERR_OK). Now after the tcp_close function returns dl_close_internal still references the pcb pointer as if it was NOT freed? The problem triggered memory corruption on my target beacuse the listening socket is equipped with a smaller pcb (via tcp_listen_with_backlog) And the do_close_internal function incorrectly calls the tcp_poll function on this tiny pcb leading to problems which are fortunately detected by the MEMP_OVERFLOW_CHECK code." _______________________________________________________ Reply to this item at: <http://savannah.nongnu.org/bugs/?23847> _______________________________________________ Nachricht geschickt von/durch Savannah http://savannah.nongnu.org/
[Prev in Thread] | Current Thread | [Next in Thread] |