[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #27871] Calling tcp_abort() in recv callback can lead
|
From: |
Simon Goldschmidt |
|
Subject: |
[lwip-devel] [bug #27871] Calling tcp_abort() in recv callback can lead to accessing unallocated memory |
|
Date: |
Fri, 30 Oct 2009 17:52:57 +0000 |
|
User-agent: |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; de; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 |
URL:
<http://savannah.nongnu.org/bugs/?27871>
Summary: Calling tcp_abort() in recv callback can lead to
accessing unallocated memory
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: goldsimon
Submitted on: Fr 30 Okt 2009 17:52:55 GMT
Category: TCP
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: 1.3.1
_______________________________________________________
Details:
This isn't new but has been in there for a while:
When working on the raw api httpd, I found tcp_abort is called within the
recv-callback (e.g. in an error state or when there's a second request to one
pcb which thinks it's already closed). What I want to achieve is to
force-close the pcb in this case resulting in an ACK. For this, I call
tcp_abort and return ERR_ABRT.
However, the code calling TCP_EVENT_RECV() not prepared for this: since
tcp_abort() deallocates the pcb, and the code calling TCP_EVENT_RECV()
accesses the pcb after that call, unallocated memory is accessed.
In the default-recv case, this doesn't lead to a crash, as the memory is not
yet used for another pcb...
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?27871>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #27871] Calling tcp_abort() in recv callback can lead to accessing unallocated memory,
Simon Goldschmidt <=