[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #23693] tcp_receive does not handle 'no more segs avai

From: Art R.
Subject: [lwip-devel] [bug #23693] tcp_receive does not handle 'no more segs available' from tcp_seg_copy
Date: Tue, 24 Jun 2008 14:40:19 +0000
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20080404 Firefox/


                 Summary: tcp_receive does not handle 'no more segs
available' from tcp_seg_copy
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: tdir
            Submitted on: Tuesday 06/24/2008 at 14:40
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.3.0



The function tcp_receive() in tcp_in.c can fail by dereferencing a NULL
pointer if the seg pool has no more available segs. The code calls
tcp_seg_copy() to get a seg but does not properly handle the case where a NULL
result is returned (indicating there are no more available segs).

The correction would be to check the return value from tcp_seg_copy() and do
nothing if no seg is obtained. The code currently does this partially but can
still attempt to deref a NULL ptr. Doing so will probably crash the stack.

Relevant code (from tcp_in.c at about line 1190)
                cseg = tcp_seg_copy(&inseg);
                if (cseg != NULL) {
                  cseg->next = next->next;
                  if (prev != NULL) {
                    prev->next = cseg;
                  } else {
                    pcb->ooseq = cseg;
                if (cseg->next != NULL) { // cseg may be NULL



Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]