[lwip-devel] Problem with LWIP_ERROR in pbuf_header(..)

[Fredrik Hederstierna]

Hi

We have problems with getting LWIP_ERROR()
in function  pbuf_header(..) in "pbuf.c"


The ASSERTING pbuf.c code looks like this,
line 429


  if (header_size_increment < 0){
    increment_magnitude = -header_size_increment;
         /* Check
that we aren't going to move off the end of the pbuf */
-------->LWIP_ERROR("increment_magnitude
<= p->len", (increment_magnitude <= p->len), return 1;);




We suspect that its called from UDP code
in udp_input(..) line 102:


  /* Check minimum length (IP header
+ UDP header)
   * and move payload pointer
to UDP header */
  if (p->tot_len < (IPH_HL(iphdr)
* 4 + UDP_HLEN) || pbuf_header(p, -(s16_t)(IPH_HL(iphdr) * 4))) {


That is if incomming UDP packet is too
short, so the call to pbuf_header() will trig LWIP_ERROR?
Isn't it better to just drop illegal-size
packets instead of ASSERT?
What if header and header length is corrupted?



What about this patch


Index: src/core/pbuf.c
===================================================================
RCS file: /sources/lwip/lwip/src/core/pbuf.c,v
retrieving revision 1.132
diff -u -r1.132 pbuf.c
--- src/core/pbuf.c     18 Feb
2009 16:50:40 -0000      1.132
+++ src/core/pbuf.c     24 Apr
2009 12:29:59 -0000
@@ -399,8 +399,13 @@

   if (header_size_increment
< 0){
     increment_magnitude
= -header_size_increment;
+#if 0
+    /* Can't assert these as
some callers speculatively call
+         pbuf_header()
to see if it's OK.  Will return 1 below instead. */
     /* Check that we aren't
going to move off the end of the pbuf */
     LWIP_ERROR("increment_magnitude
<= p->len", (increment_magnitude <= p->len), return 1;);
+#endif
+    return 1;
   } else {
     increment_magnitude
= header_size_increment;
 #if 0



Best Regards
Fredrik Hederstierna