lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-devel] tcp_receive can try to deref a NULL pointer

From: address@hidden
Subject: Re: [lwip-devel] tcp_receive can try to deref a NULL pointer
Date: Mon, 23 Jun 2008 20:21:29 +0200
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)
Would you mind to file a bug at the savannah bugtracker (http://savannah.nongnu.org/bugs/?group=lwip)? 
Maybe you could also propose a fix in form of a patch file.

Thanks,
Simon


Art R. wrote:

in tcp_in.c at about lines 1190-1200
                cseg = tcp_seg_copy(&inseg);
                if (cseg != NULL) {
                  cseg->next = next->next;
                  if (prev != NULL) {
                    prev->next = cseg;
                  } else {
                    pcb->ooseq = cseg;
                  }
                }
                tcp_seg_free(next);
                if (cseg->next != NULL) {

The implementation of tcp_seg_copy() includes this bit to do the allocation:
  cseg = memp_malloc(MEMP_TCP_SEG);
  if (cseg == NULL) {
    return NULL;
  }


The tcp_seg_copy() returns a NULL pointer if the seg pool is exhausted. (We
have observed this - if the sender fails to receive ACKs.)
The if (cseg->next) would then try to dereference a NULL pointer.

Probably the code should just skip over the whole attempt to insert the new
pkt if it is unable to get a seg (if memp_malloc() returns a NULL)?

Thanks,
Art R.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]