[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #20237] pbuf memory corruption

From: Spark Jon
Subject: [lwip-devel] [bug #20237] pbuf memory corruption
Date: Fri, 22 Jun 2007 08:48:38 +0000
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070508 Firefox/


                 Summary: pbuf memory corruption
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: sparkjon
            Submitted on: Friday 06/22/2007 at 08:48
                Category: pbufs
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any



pbuf.c - pbuf_alloc()

The pbuf corrupts the next pbuf under the following conditions,
1. If the p->payload been aligned and moved.
p->payload = MEM_ALIGN((void *)((u8_t *)p + (sizeof(struct pbuf) +

2. length > PBUF_POOL_BUFSIZE - offset
p->len = length > PBUF_POOL_BUFSIZE - offset ?
PBUF_POOL_BUFSIZE - offset : length;

The following code fragment fixed the alignment problem which cause the
p->payload + p->len over the range of pbuf, and the later data write to
p->payload address with p->len will overwrite the p->next value.

/* set the length of the first pbuf in the chain */
pbuf_end = (u32)p + sizeof(struct pbuf) + PBUF_POOL_BUFSIZE;    
p->len = length > pbuf_end - (u32)p->payload ? pbuf_end - (u32)p->payload :


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]