|
| From: | Bill Auerbach |
| Subject: | [lwip-devel] [bug #27576] pbuf_realloc will assert or crash on a non-chained pbuf list |
| Date: | Thu, 01 Oct 2009 21:16:12 +0000 |
| User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) |
URL:
<http://savannah.nongnu.org/bugs/?27576>
Summary: pbuf_realloc will assert or crash on a non-chained
pbuf list
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: billauerbach
Submitted on: Thu 01 Oct 2009 05:16:11 PM EDT
Category: pbufs
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: CVS Head
_______________________________________________________
Details:
pbuf_realloc can be called from ip_input with a bad packet before the packet
is known to be bad because the IP header is bad. This causes an assertion or
crash (when LWIP_NOASSERT defined).
The while loop can be entered with p->next == NULL because new_len can be
incorrect from a bad incoming packet.
pbuf_realloc mentions working with a chain of pbufs but in fact can be called
with a single pbuf (next == NULL). I added the following test before the
while loop and the assertions are bypassed. Whether this is really the
correct solution I cannot say:
/* should this pbuf be kept? */
if(p->next != NULL) {
while (rem_len > q->len) {
/* decrease remaining length by pbuf length */
rem_len -= q->len;
/* decrease total length indicator */
LWIP_ASSERT("grow < max_u16_t", grow < 0xffff);
q->tot_len += (u16_t)grow;
/* proceed to next pbuf in chain */
q = q->next;
LWIP_ASSERT("pbuf_realloc: q != NULL", q != NULL);
}
}
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?27576>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |