[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #41508] using NULL pointer in icmp_send_response
From: |
luozhaosong |
Subject: |
[lwip-devel] [bug #41508] using NULL pointer in icmp_send_response |
Date: |
Sat, 08 Feb 2014 03:04:36 +0000 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0 |
URL:
<http://savannah.nongnu.org/bugs/?41508>
Summary: using NULL pointer in icmp_send_response
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: geliter
Submitted on: Sat Feb 8 03:04:35 2014
Category: IPv4
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: 1.4.1
_______________________________________________________
Details:
I am using lwip-1.4.1.
in the function icmp_send_response(\lwip-1.4.1\src\core\ipv4\icmp.c),when it
invoke ip_output,it use a null pointer as the second parameter:ip_output(q,
NULL, &iphdr_src, ICMP_TTL, 0, IP_PROTO_ICMP).
but in ip_output, it does not check if the second parameter is NULL.
so i think this is a bug,but i am not sure how to fix it. appreciate for any
response !!
i fix it as following :
static void
icmp_send_response(struct pbuf *p, u8_t type, u8_t code)
{
struct pbuf *q;
struct ip_hdr *iphdr;
/* we can use the echo header here */
struct icmp_echo_hdr *icmphdr;
ip_addr_t iphdr_src;
ip_addr_t iphdr_dst;
/* ICMP header + IP header + 8 bytes of data */
q = pbuf_alloc(PBUF_IP, sizeof(struct icmp_echo_hdr) + IP_HLEN +
ICMP_DEST_UNREACH_DATASIZE,
PBUF_RAM);
if (q == NULL) {
LWIP_DEBUGF(ICMP_DEBUG, ("icmp_time_exceeded: failed to allocate pbuf for
ICMP packet.\n"));
return;
}
LWIP_ASSERT("check that first pbuf can hold icmp message",
(q->len >= (sizeof(struct icmp_echo_hdr) + IP_HLEN +
ICMP_DEST_UNREACH_DATASIZE)));
iphdr = (struct ip_hdr *)p->payload;
LWIP_DEBUGF(ICMP_DEBUG, ("icmp_time_exceeded from "));
ip_addr_debug_print(ICMP_DEBUG, &(iphdr->src));
LWIP_DEBUGF(ICMP_DEBUG, (" to "));
ip_addr_debug_print(ICMP_DEBUG, &(iphdr->dest));
LWIP_DEBUGF(ICMP_DEBUG, ("\n"));
icmphdr = (struct icmp_echo_hdr *)q->payload;
icmphdr->type = type;
icmphdr->code = code;
icmphdr->id = 0;
icmphdr->seqno = 0;
/* copy fields from original packet */
SMEMCPY((u8_t *)q->payload + sizeof(struct icmp_echo_hdr), (u8_t
*)p->payload,
IP_HLEN + ICMP_DEST_UNREACH_DATASIZE);
/* calculate checksum */
icmphdr->chksum = 0;
icmphdr->chksum = inet_chksum(icmphdr, q->len);
ICMP_STATS_INC(icmp.xmit);
/* increase number of messages attempted to send */
snmp_inc_icmpoutmsgs();
/* increase number of destination unreachable messages attempted to send */
snmp_inc_icmpouttimeexcds();
ip_addr_copy(iphdr_src, iphdr->src);
ip_addr_copy(iphdr_dst, iphdr->dest);
ip_output(q, &iphdr_dst, &iphdr_src, ICMP_TTL, 0, IP_PROTO_ICMP);
pbuf_free(q);
}
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?41508>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #41508] using NULL pointer in icmp_send_response,
luozhaosong <=