lwip-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-users] [lwip] lwIP bug, possible memory leakage


From: Adam Dunkels
Subject: [lwip-users] [lwip] lwIP bug, possible memory leakage
Date: Wed, 08 Jan 2003 21:45:36 -0000

Hi!

Thanks to Mikael Caleres, the following bug was found yesterday. 

In situations where system resources is running scarce (such as when hitting 
the "Reload" button repeatedly in browser when browsing on an lwIP 
webserver), some memory leakage may occur. The problem is in the function 
that is called when a new connection is established (accept_function() in 
src/api/api_msg.c) and in the tcp_process() function in 
src/core/proto/tcp_input.c. There are two problems with this.

If accept_function() fails to allocate a netconn structure, it returns with 
an error (ERR_MEM). The problem is that this is not handled properly by 
tcp_process(); it does not check the return value and will retain the 
connection even though the application never will be able to handle the 
connection. This has been changed so that the connection is aborted if 
accept_function() returns with an error.

The other problem lies in the accept_function() function. It allocates a 
system mailbox (sys_mbox) but does not check whether it was able to allocate 
the mailbox or not. This leads to errors when the connection is used later.

Below are the diffs to lwIP verision 0.4.1. The bugfixes are also avaliable 
through the CVS code on the homepage.

File src/api/api_msg.c

115a116,119
>   if(newconn->recvmbox == SYS_MBOX_NULL) {
>     memp_free(MEMP_NETCONN, newconn);
>     return ERR_MEM;
>   }
116a121,125
>   if(newconn->mbox == SYS_MBOX_NULL) {
>     memp_free(MEMP_NETCONN, newconn);
>     sys_mbox_free(newconn->recvmbox);
>     return ERR_MEM;
>   }

File src/core/proto/tcp_input.c

463,464c463,477
<           pcb->accept(pcb->accept_arg, pcb, ERR_OK);
<         }
---
>           if(pcb->accept(pcb->accept_arg, pcb, ERR_OK) != ERR_OK) {
>           /* If the accept function returns with an error, we abort
>                the connection. */
>           tcp_abort(pcb);
>           break;
>         }
>         } else {
>         /* If a PCB does not have an accept function (i.e., no
>              application is connected to it), the connection would
>              linger in memory until the connection reset by the remote
>              peer (which might never happen). Therefore, we abort the
>              connection before it is too late. */
>         tcp_abort(pcb);
>         break;
>       }

/adam
-- 
Adam Dunkels <address@hidden>
http://www.sics.se/~adam
[This message was sent through the lwip discussion list.]




reply via email to

[Prev in Thread] Current Thread [Next in Thread]