|
From: | Bill Auerbach |
Subject: | [lwip-devel] [bug #27576] pbuf_realloc will assert or crash on a non-chained pbuf list |
Date: | Thu, 01 Oct 2009 21:16:12 +0000 |
User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) |
URL: <http://savannah.nongnu.org/bugs/?27576> Summary: pbuf_realloc will assert or crash on a non-chained pbuf list Project: lwIP - A Lightweight TCP/IP stack Submitted by: billauerbach Submitted on: Thu 01 Oct 2009 05:16:11 PM EDT Category: pbufs Severity: 3 - Normal Item Group: Crash Error Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any Planned Release: lwIP version: CVS Head _______________________________________________________ Details: pbuf_realloc can be called from ip_input with a bad packet before the packet is known to be bad because the IP header is bad. This causes an assertion or crash (when LWIP_NOASSERT defined). The while loop can be entered with p->next == NULL because new_len can be incorrect from a bad incoming packet. pbuf_realloc mentions working with a chain of pbufs but in fact can be called with a single pbuf (next == NULL). I added the following test before the while loop and the assertions are bypassed. Whether this is really the correct solution I cannot say: /* should this pbuf be kept? */ if(p->next != NULL) { while (rem_len > q->len) { /* decrease remaining length by pbuf length */ rem_len -= q->len; /* decrease total length indicator */ LWIP_ASSERT("grow < max_u16_t", grow < 0xffff); q->tot_len += (u16_t)grow; /* proceed to next pbuf in chain */ q = q->next; LWIP_ASSERT("pbuf_realloc: q != NULL", q != NULL); } } _______________________________________________________ Reply to this item at: <http://savannah.nongnu.org/bugs/?27576> _______________________________________________ Message sent via/by Savannah http://savannah.nongnu.org/
[Prev in Thread] | Current Thread | [Next in Thread] |