[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-devel] tcp_receive can try to deref a NULL pointer
From: |
Art R. |
Subject: |
Re: [lwip-devel] tcp_receive can try to deref a NULL pointer |
Date: |
Tue, 24 Jun 2008 07:51:11 -0700 (PDT) |
I filed as bug 23693.
I will try to create a patch, and I'd prefer submitting a patch for 1.3.0,
but we're still on a slightly older version (so I can test the older version
but not the 1.3.0).
Here is the fix I'd propose - let me know if you can use this or if you'd
still like a patch. (It'll take a few days as I'm working another task at
the moment.)
Just replace the section in tcp_in.c @ 1190
cseg = tcp_seg_copy(&inseg);
if (cseg != NULL) {
cseg->next = next->next;
if (prev != NULL) {
prev->next = cseg;
} else {
pcb->ooseq = cseg;
}
}
tcp_seg_free(next);
if (cseg->next != NULL) {
with (UNTESTED)
cseg = tcp_seg_copy(&inseg);
// If no seg available, do nothing.
if (cseg == NULL) {
break;
}
// Insert the new seg
cseg->next = next->next;
if (prev != NULL) {
prev->next = cseg;
} else {
pcb->ooseq = cseg;
}
// Release the old seg - it just got replaced with new one.
tcp_seg_free(next);
if (cseg->next != NULL) {
address@hidden wrote:
>
> Would you mind to file a bug at the savannah bugtracker
> (http://savannah.nongnu.org/bugs/?group=lwip)?
> Maybe you could also propose a fix in form of a patch file.
>
> Thanks,
> Simon
>
>
> Art R. wrote:
>> in tcp_in.c at about lines 1190-1200
>> cseg = tcp_seg_copy(&inseg);
>> if (cseg != NULL) {
>> cseg->next = next->next;
>> if (prev != NULL) {
>> prev->next = cseg;
>> } else {
>> pcb->ooseq = cseg;
>> }
>> }
>> tcp_seg_free(next);
>> if (cseg->next != NULL) {
>>
>> The implementation of tcp_seg_copy() includes this bit to do the
>> allocation:
>> cseg = memp_malloc(MEMP_TCP_SEG);
>> if (cseg == NULL) {
>> return NULL;
>> }
>>
>>
>> The tcp_seg_copy() returns a NULL pointer if the seg pool is exhausted.
>> (We
>> have observed this - if the sender fails to receive ACKs.)
>> The if (cseg->next) would then try to dereference a NULL pointer.
>>
>> Probably the code should just skip over the whole attempt to insert the
>> new
>> pkt if it is unable to get a seg (if memp_malloc() returns a NULL)?
>>
>> Thanks,
>> Art R.
>>
>>
>
>
>
> _______________________________________________
> lwip-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/lwip-devel
>
>
--
View this message in context:
http://www.nabble.com/tcp_receive-can-try-to-deref-a-NULL-pointer-tp18074665p18092784.html
Sent from the lwip-devel mailing list archive at Nabble.com.