R: RE : [lwip-users] ip_reass stop

[Bessone Danilo]

Hi

I think to have pinpointed a bug in the lwIP code that is the cause of a memory 
fault when pinging with lengths greater than 1500.
This happens ONLY when lwIP is ported in a 32-bits environment (ARM920T in my 
case).
The bug is in the pbuf_alloc() function (file pbuf.c) where I have found a 
program inconsistency when pbuf_alloc() is called with the flag parameter set 
to PBUF_POOL. In this case in the "case PBUF_POOL" statement there is an 
incongruency between two instructions. The first is the following:

p->payload = MEM_ALIGN((void *)((u8_t *)p + (sizeof(struct pbuf) + offset)));

where - when MEM_ALIGNMENT = 4 and the value of "offset" is not a multiple of 4 
- p->payload will be incremented by a certain quantity in order to obtain the 
required alignment.

BUT, few lines later, the following instruction does not take into account the 
above increment:

p->len = length > PBUF_POOL_BUFSIZE - offset? PBUF_POOL_BUFSIZE - offset: 
length;

This is an error because the available memory has been reduced by the alignment 
instruction. As consequence this instruction will set p->len with a value that 
is greater than permitted and the program is allowed to write in a memory area 
that does not belong to the allocated buffer. This can cause a program crash...

I have resolved this problem by inserting from the above first and the second 
instructions the following line of code:

offset = (u8_t *)p->payload - ((u8_t *)p + sizeof(struct pbuf));

In this mode "offset" is incremented by the same quantity required for the 
correct alignment of p->payload and - as consequence - p->len will be set to 
the expected value.

Danilo Bessone



-----Messaggio originale-----
Da: address@hidden [mailto:address@hidden Per conto di Frédéric BERNON
Inviato: martedì 29 gennaio 2008 19.24
A: Mailing list for lwIP users
Oggetto: RE : [lwip-users] ip_reass stop

I don't have any problems with my target with "ping -l 65500". But I have high 
values in my lwipopts.h to be able to receive large datagrams. Do you have try 
to activate some traces to see where is the problem ?

 
  
====================================
Frédéric BERNON 
HYMATOM SA 
Chef de projet informatique 
Microsoft Certified Professional 
Tél. : +33 (0)4-67-87-61-10 
Fax. : +33 (0)4-67-70-85-44 
Email : address@hidden 
Web Site : http://www.hymatom.fr 
====================================
P Avant d'imprimer, penser à l'environnement
 


-----Message d'origine-----
De : address@hidden [mailto:address@hidden De la part de Valdemar
Envoyé : mardi 29 janvier 2008 15:28
À : Mailing list for lwIP users
Objet : [lwip-users] ip_reass stop


Hi
When trying to find out why my lwip-application suddenly stops receiving I 
found that sending an UDP block of more than 1476 bytes to my application 
caused a memory error. I got an abort in the function ip_reass at offset 0x308. 
I get the same error when pinging with the same amount of bytes.

My application works fine when running in my small laboratory network, but when 
it is put in my customers much bigger network it stops receiving after a while. 
I guess my application receives something that makes it stop.

Would be much grateful for any ideas of what I can do to fix this.

Thanks
Germund Asp

Attached is my lwipopts file.


--------------------------------------------------------------------

CONFIDENTIALITY NOTICE

This message and its attachments are addressed solely to the persons above and 
may contain confidential information. If you have received the message in 
error, be informed that any use of the content hereof is prohibited. Please 
return it immediately to the sender and delete the message. Should you have any 
questions, please contact us by replying to address@hidden

        Thank you

                                        www.telecomitalia.it

--------------------------------------------------------------------