lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #51595] ip4_reass: ip_reass_pbufcount may be updated i

From: Ambroz Bizjak
Subject: [lwip-devel] [bug #51595] ip4_reass: ip_reass_pbufcount may be updated incorectly
Date: Thu, 27 Jul 2017 18:14:04 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 
URL:
  <http://savannah.nongnu.org/bugs/?51595>

                 Summary: ip4_reass: ip_reass_pbufcount may be updated
incorectly
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: abizjak
            Submitted on: Thu 27 Jul 2017 10:14:02 PM UTC
                Category: IPv4
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

In ip4_frag.c, ip4_reass(), see this code:

  /* Track the current number of pbufs current 'in-flight', in order to limit
     the number of fragments that may be enqueued at any one time
     (overflow checked by testing against IP_REASS_MAX_PBUFS) */
  ip_reass_pbufcount = (u16_t)(ip_reass_pbufcount + clen);

  /* At this point, we have either created a new entry or pointing
   * to an existing one */

  /* check for 'no more fragments', and update queue entry*/
  if ((IPH_OFFSET(fraghdr) & PP_NTOHS(IP_MF)) == 0) {
    u16_t datagram_len = (u16_t)(offset + len);
    if ((datagram_len < offset) || (datagram_len > (0xFFFF - IP_HLEN))) {
      /* u16_t overflow, cannot handle this */
      goto nullreturn;

In this case of "goto nullreturn", ip_reass_pbufcount has been increased but
the pbuf has not been queued to the reassembly chains.

After this, ip_reass_chain_frag_into_datagram_and_validate seems to take
responsibility for decrementing back in case the pbuf was not queued which is
fine. Solution should be to move the increment below the if block  /* check
for 'no more fragments', and update queue entry*/.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?51595>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]