[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [patch #5796] pbuf_alloc: len field claculation causes memo
From: |
Simon Goldschmidt |
Subject: |
[lwip-devel] [patch #5796] pbuf_alloc: len field claculation causes memory corruption |
Date: |
Sun, 11 Mar 2007 17:15:21 +0000 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 |
URL:
<http://savannah.nongnu.org/patch/?5796>
Summary: pbuf_alloc: len field claculation causes memory
corruption
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: goldsimon
Submitted on: Sonntag 11.03.2007 um 17:15
Category: None
Priority: 7 - High
Status: In Progress
Privacy: Public
Assigned to: goldsimon
Originator Email:
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
When calling
pbuf_alloc(PBUF_LINK, size, PBUF_POOL)
with size > PBUF_POOL_BUFSIZE and if PBUF_LINK_HLEN is not a multiple of
MEM_ALIGNMENT, the calculation of the 'len' field results in the pbuf being
longer than its actual payload:
original code (offset is too small -> len is too long):
p->len = length > PBUF_POOL_BUFSIZE - offset? PBUF_POOL_BUFSIZE - offset:
length;
patch:
p->len = length > PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset)?
PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset): length;
This still relies on struct pbuf being a multiple of MEM_ALIGNMENT (which it
may or may not be), so I also added an assert statement for this in
pbuf_init().
If noone object, I'll check it in.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sonntag 11.03.2007 um 17:15 Name: pbuf_pool_smallchunks.patch Size:
1kB By: goldsimon
<http://savannah.nongnu.org/patch/download.php?file_id=12172>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/patch/?5796>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/
- [lwip-devel] [patch #5796] pbuf_alloc: len field claculation causes memory corruption,
Simon Goldschmidt <=