|
From: | Art R. |
Subject: | [lwip-devel] [bug #23693] tcp_receive does not handle 'no more segs available' from tcp_seg_copy |
Date: | Tue, 24 Jun 2008 14:40:19 +0000 |
User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 |
URL: <http://savannah.nongnu.org/bugs/?23693> Summary: tcp_receive does not handle 'no more segs available' from tcp_seg_copy Project: lwIP - A Lightweight TCP/IP stack Submitted by: tdir Submitted on: Tuesday 06/24/2008 at 14:40 Category: TCP Severity: 3 - Normal Item Group: Crash Error Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any Planned Release: lwIP version: 1.3.0 _______________________________________________________ Details: The function tcp_receive() in tcp_in.c can fail by dereferencing a NULL pointer if the seg pool has no more available segs. The code calls tcp_seg_copy() to get a seg but does not properly handle the case where a NULL result is returned (indicating there are no more available segs). The correction would be to check the return value from tcp_seg_copy() and do nothing if no seg is obtained. The code currently does this partially but can still attempt to deref a NULL ptr. Doing so will probably crash the stack. Relevant code (from tcp_in.c at about line 1190) cseg = tcp_seg_copy(&inseg); if (cseg != NULL) { cseg->next = next->next; if (prev != NULL) { prev->next = cseg; } else { pcb->ooseq = cseg; } } tcp_seg_free(next); if (cseg->next != NULL) { // cseg may be NULL _______________________________________________________ Reply to this item at: <http://savannah.nongnu.org/bugs/?23693> _______________________________________________ Message sent via/by Savannah http://savannah.nongnu.org/
[Prev in Thread] | Current Thread | [Next in Thread] |