[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] tcp_receive can try to deref a NULL pointer

From: Art R.
Subject: [lwip-devel] tcp_receive can try to deref a NULL pointer
Date: Mon, 23 Jun 2008 10:57:02 -0700 (PDT)

in tcp_in.c at about lines 1190-1200
                cseg = tcp_seg_copy(&inseg);
                if (cseg != NULL) {
                  cseg->next = next->next;
                  if (prev != NULL) {
                    prev->next = cseg;
                  } else {
                    pcb->ooseq = cseg;
                if (cseg->next != NULL) {

The implementation of tcp_seg_copy() includes this bit to do the allocation:
  cseg = memp_malloc(MEMP_TCP_SEG);
  if (cseg == NULL) {
    return NULL;

The tcp_seg_copy() returns a NULL pointer if the seg pool is exhausted. (We
have observed this - if the sender fails to receive ACKs.)
The if (cseg->next) would then try to dereference a NULL pointer.

Probably the code should just skip over the whole attempt to insert the new
pkt if it is unable to get a seg (if memp_malloc() returns a NULL)?

Art R.

View this message in context: 
Sent from the lwip-devel mailing list archive at Nabble.com.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]