Re: [lwip-devel] tcp_receive can try to deref a NULL pointer

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-devel] tcp_receive can try to deref a NULL pointer

From:	Art R.
Subject:	Re: [lwip-devel] tcp_receive can try to deref a NULL pointer
Date:	Tue, 24 Jun 2008 07:51:11 -0700 (PDT)

I filed as bug 23693.
I will try to create a patch, and I'd prefer submitting a patch for 1.3.0,
but we're still on a slightly older version (so I can test the older version
but not the 1.3.0).
Here is the fix I'd propose - let me know if you can use this or if you'd
still like a patch. (It'll take a few days as I'm working another task at
the moment.)
Just replace the section in tcp_in.c @ 1190
                cseg = tcp_seg_copy(&inseg);
                if (cseg != NULL) {
                  cseg->next = next->next;
                  if (prev != NULL) {
                    prev->next = cseg;
                  } else {
                    pcb->ooseq = cseg;
                  }
                }
                tcp_seg_free(next);
                if (cseg->next != NULL) {
 
with (UNTESTED)
                cseg = tcp_seg_copy(&inseg);
                // If no seg available, do nothing.
                if (cseg == NULL) {
                    break;
                }
                // Insert the new seg
                cseg->next = next->next;
                if (prev != NULL) {
                  prev->next = cseg;
                } else {
                  pcb->ooseq = cseg;
                }
                // Release the old seg - it just got replaced with new one.
                tcp_seg_free(next);
                if (cseg->next != NULL) {


address@hidden wrote:
> 
> Would you mind to file a bug at the savannah bugtracker 
> (http://savannah.nongnu.org/bugs/?group=lwip)?
> Maybe you could also propose a fix in form of a patch file.
> 
> Thanks,
> Simon
> 
> 
> Art R. wrote:
>> in tcp_in.c at about lines 1190-1200
>>                 cseg = tcp_seg_copy(&inseg);
>>                 if (cseg != NULL) {
>>                   cseg->next = next->next;
>>                   if (prev != NULL) {
>>                     prev->next = cseg;
>>                   } else {
>>                     pcb->ooseq = cseg;
>>                   }
>>                 }
>>                 tcp_seg_free(next);
>>                 if (cseg->next != NULL) {
>>
>> The implementation of tcp_seg_copy() includes this bit to do the
>> allocation:
>>   cseg = memp_malloc(MEMP_TCP_SEG);
>>   if (cseg == NULL) {
>>     return NULL;
>>   }
>>
>>
>> The tcp_seg_copy() returns a NULL pointer if the seg pool is exhausted.
>> (We
>> have observed this - if the sender fails to receive ACKs.)
>> The if (cseg->next) would then try to dereference a NULL pointer.
>>
>> Probably the code should just skip over the whole attempt to insert the
>> new
>> pkt if it is unable to get a seg (if memp_malloc() returns a NULL)?
>>
>> Thanks,
>> Art R.
>>
>>   
> 
> 
> 
> _______________________________________________
> lwip-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/lwip-devel
> 
> 

-- 
View this message in context: 
http://www.nabble.com/tcp_receive-can-try-to-deref-a-NULL-pointer-tp18074665p18092784.html
Sent from the lwip-devel mailing list archive at Nabble.com.

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] tcp_receive can try to deref a NULL pointer, Art R., 2008/06/23
- Re: [lwip-devel] tcp_receive can try to deref a NULL pointer, address@hidden, 2008/06/23
  - Re: [lwip-devel] tcp_receive can try to deref a NULL pointer, Art R. <=

Prev by Date: [lwip-devel] [bug #23693] tcp_receive does not handle 'no more segs available' from tcp_seg_copy
Next by Date: [lwip-devel] [bug #23693] tcp_receive does not handle 'no more segs available' from tcp_seg_copy
Previous by thread: Re: [lwip-devel] tcp_receive can try to deref a NULL pointer
Next by thread: [lwip-devel] [bug #23693] tcp_receive does not handle 'no more segs available' from tcp_seg_copy
Index(es):
- Date
- Thread