[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #24032] pbuf realloc wander over the end of a linked l
|
From: |
Pasi Kukkonen |
|
Subject: |
[lwip-devel] [bug #24032] pbuf realloc wander over the end of a linked list |
|
Date: |
Mon, 11 Aug 2008 07:57:45 +0000 |
|
User-agent: |
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) |
URL:
<http://savannah.nongnu.org/bugs/?24032>
Summary: pbuf realloc wander over the end of a linked list
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: pasik
Submitted on: Monday 08/11/2008 at 07:57
Category: pbufs
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: 1.3.0
_______________________________________________________
Details:
I'm reporting this bug behalf of colleague:
"The error was that it was trying to pbuf_free an invalid piece of memory ,
because q was null, therefore q->next would be pointing at invalid memory.
I tracked the bug down to being a function in the LWIP stack , that wandered
over the end of a linked list, when doing a pbuf realloc.
I fixed this by checking the list walk, and terminating the realloc if it
wandered off the end of the list.
network traffic was at about 7Mbits per second."
Here is diff (WinCvs), not quit sure what was the original source version.
Relevant changes q != NULL in while and new if statements.
diff -u -w -b -r1.128 pbuf.c
--- pbuf.c 1 Apr 2008 19:05:40 -0000 1.128
+++ pbuf.c 28 Jul 2008 16:36:11 -0000
@@ -291,7 +291,7 @@
rem_len = new_len;
q = p;
/* should this pbuf be kept? */
- while (rem_len > q->len) {
+ while ((rem_len > q->len) && (q != NULL)) {
/* decrease remaining length by pbuf length */
rem_len -= q->len;
/* decrease total length indicator */
@@ -302,7 +302,8 @@
}
/* we have now reached the new last pbuf (in q) */
/* rem_len == desired length for pbuf q */
-
+ if (q!=NULL)
+ {
/* shrink allocated memory for PBUF_RAM */
/* (other types merely adjust their length fields */
if ((q->type == PBUF_RAM) && (rem_len != q->len)) {
@@ -321,6 +322,7 @@
}
/* q is last packet in chain */
q->next = NULL;
+ }
}
@@ -357,8 +359,14 @@
if (header_size_increment < 0){
increment_magnitude = -header_size_increment;
+
+ if( increment_magnitude > p->len)
+ {
+ return 0;
+ }
+
/* Check that we aren't going to move off the end of the pbuf */
- LWIP_ERROR("increment_magnitude <= p->len", (increment_magnitude <=
p->len), return 1;);
+ //LWIP_ERROR("increment_magnitude <= p->len", (increment_magnitude <=
p->len), return 1;);
} else {
increment_magnitude = header_size_increment;
#if 0
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?24032>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #24032] pbuf realloc wander over the end of a linked list,
Pasi Kukkonen <=