[lwip-devel] [bug #24517] IP reassembly crashes on unaligned IP headers

[Simon Goldschmidt]

URL:
  <http://savannah.nongnu.org/bugs/?24517>

                 Summary: IP reassembly crashes on unaligned IP headers
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: goldsimon
            Submitted on: Fr 10 Okt 2008 14:21:56 GMT
                Category: IPv4
                Severity: 4 - Important
              Item Group: Crash Error
                  Status: In Progress
                 Privacy: Public
             Assigned to: goldsimon
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.3.0

    _______________________________________________________

Details:

I don't know if this is a duplicate for #23309. Since we have a detailed
error description here (thanks to Ed), this one is easy to solve.

Ed Sutter described it on lwip-users, here's the mail:

Ok, I've spoken to a few folks off-line about this, and have narrowed it
down a bit further.  There's either a bug or I'm not configuring something
properly...

I'm running LWIP 1.3.0 on a Blackfin, which is picky about accessing longs
on long-word boundaries.  I have MEM_ALIGNMENT set to 4.  My network
generates
occasional fragmented IP packets, and it causes the function
ip_reass_chain_frag_into_datagram_and_validate() to crash.

Here's the flow...
The packet is received and buffered up using pbuf_alloc() (with each payload
aligned on a 4-byte boundary) then that set of pbufs is passed to
ethernet_input().
The ethernet_input() function then sees that it is IP, increments the
payload
pointer by 14 (size of ethernet header) and passes the pbufs to ip_input().
Note that at this point, the payload pointer is no longer aligned on a
4-byte
boundary because the original 4-byte-aligned payload pointer is incremented
by 14.

Next, ip_input() sees that the packet is a fragment, so it calls ip_reass()
which then calls ip_reass_chain_frag_into_datagram_and_validate().  About 15
lines from the top, this function overlays a "helper" structure pointer on
the payload area (which is no longer 4-byte aligned).  The helper
structure's
first member is a pointer which is initialized to NULL, this causes the
crash
because loading the pointer is a 4-byte-wide access, but the pointer is not
on
a 4-byte aligned address.

This is only seen on an alignment-sensitive processor when an fragment is
received.  I made a simple change to the helper structure to fix this (see
below); however, I would like to make sure that there isn't some other
configuration parameter that I should be setting to avoid this.

I changed this...

    struct ip_reass_helper {
      struct pbuf *next_pbuf;    <<<< this member access is not aligned
      u16_t start;
      u16_t end;
    };

to this...

    struct ip_reass_helper {
        PACK_STRUCT_FIELD(u16_t start);
        PACK_STRUCT_FIELD(struct pbuf *next_pbuf);    <<<< now it is
        PACK_STRUCT_FIELD(u16_t end);
      };

and my crash has disappeared.  Putting the 'start' member above the
next_pbuf
pointer will naturally align the pointer, which as far as I can tell will
always be mis-aligned by 2 bytes when MEM_ALIGNMENT is set to 4.

Is this a valid fix or am I just configuring something incorrectly to cause
this crash?

Sorry for the verbosity!
Ed





    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?24517>

_______________________________________________
  Nachricht geschickt von/durch Savannah
  http://savannah.nongnu.org/