[lwip-devel] [bug #50090] last_unsent->oversize

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #50090] last_unsent->oversize_left can become wrong va

From:	Axel Lin
Subject:	[lwip-devel] [bug #50090] last_unsent->oversize_left can become wrong value in tcp_write error path
Date:	Thu, 19 Jan 2017 10:27:39 +0000 (UTC)
User-agent:	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

URL:
  <http://savannah.nongnu.org/bugs/?50090>

                 Summary: last_unsent->oversize_left can become wrong value in
tcp_write error path
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: axellin
            Submitted on: Thu 19 Jan 2017 10:27:37 AM GMT
                Category: TCP
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: 2.0.0

    _______________________________________________________

Details:

In Phase2: Chain a new pbuf to the end of pcb->unsent.
 492     if ((pos < len) && (space > 0) && (last_unsent->len > 0)) {
 493       u16_t seglen = LWIP_MIN(space, len - pos);
 494       seg = last_unsent;
 495
 496       /* Create a pbuf with a copy or reference to seglen bytes. We
 497        * can use PBUF_RAW here since the data appears in the middle of
 498        * a segment. A header will never be prepended. */
 499       if (apiflags & TCP_WRITE_FLAG_COPY) {
 500         /* Data is copied */
 501         if ((concat_p = tcp_pbuf_prealloc(PBUF_RAW, seglen, space,
&oversize, pcb, apiflags, 1)) == NULL) {
 502           LWIP_DEBUGF(TCP_OUTPUT_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
 503                       ("tcp_write : could not allocate memory for pbuf
copy size %"U16_F"\n",
 504                        seglen));
 505           goto memerr;
 506         }
 507 #if TCP_OVERSIZE_DBGCHECK
 508         last_unsent->oversize_left += oversize;
 509 #endif /* TCP_OVERSIZE_DBGCHECK */

last_unsent->oversize_left is already updated in line 508.

If Phase 3: Create new segments fails in any goto memerr path,
last_unsent->oversize_left becomes wrong.





    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?50090>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #50090] last_unsent->oversize_left can become wrong value in tcp_write error path, Axel Lin <=

Prev by Date: [lwip-devel] [bug #50088] socket/netconn: data before RST should be readable
Next by Date: Re: [lwip-devel] Bypassing checksums
Previous by thread: [lwip-devel] [bug #50088] socket/netconn: data before RST should be readable
Next by thread: [lwip-devel] [bug #50097] Disabling struct packing should be official
Index(es):
- Date
- Thread