[lwip-devel] [bug #48476] TCP sent callback called wrongly due to pickin

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #48476] TCP sent callback called wrongly due to pickin

From:	Ambroz Bizjak
Subject:	[lwip-devel] [bug #48476] TCP sent callback called wrongly due to picking up old pcb->acked
Date:	Mon, 11 Jul 2016 19:29:08 +0000 (UTC)
User-agent:	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

URL:
  <http://savannah.nongnu.org/bugs/?48476>

                 Summary: TCP sent callback called wrongly due to picking up
old pcb->acked
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: abizjak
            Submitted on: Mon 11 Jul 2016 07:29:06 PM GMT
                Category: TCP
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

In tcp_in.c, tcp_input(), shortly after calling tcp_process(), pcb->acked is
checked, and if it's nonzero, the application's sent callback is invoked with
the amount of acked data.

The fatal issue is that if tcp_process() does not set tcp->acked (usually when
the packet does not have the ACK flag), so it can happen that the sent
callback is called again for the amount of acked data which has in fact been
acked with a previously received packet.

This generally causes an inconsistency in the application code and results in
something bad.

Reproducing is almost trivial:
- Make an application continuously send data to the client.
- Keep track of the amount of outstanding data, with an integer that you
increase after tcp_write and decrease in the sent callback.
- Add an assert in your sent-callback for the acked-bytes to be no more than
the amount of outstanding data.
- Send some crafted RST to the device with the right IPs/ports and with random
sequence numbers (so lwip will probably classify as not-acceptable, resulting
in tcp_process returnign very soon without setting pcb->acked).
- Observe your assert being hit.

I reproduces this with my forked lwIP but as far as I can see the issue exists
in current lwIP. I used the following to send some ACKs:

hping --rst --baseport <client port> --destport <device port> --keep <device
IP>




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48476>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #48476] TCP sent callback called wrongly due to picking up old pcb->acked, Ambroz Bizjak <=
- Message not available
  - [lwip-devel] [bug #48476] TCP sent callback called wrongly due to picking up old pcb->acked, Ambroz Bizjak, 2016/07/11
    - Message not available
    - [lwip-devel] [bug #48476] TCP sent callback called wrongly due to picking up old pcb->acked, Simon Goldschmidt, 2016/07/19

Prev by Date: [lwip-devel] [bug #47333] lowpan6: bug in input segment checks
Next by Date: [lwip-devel] [bug #48476] TCP sent callback called wrongly due to picking up old pcb->acked
Previous by thread: [lwip-devel] [bug #47333] lowpan6: bug in input segment checks
Next by thread: [lwip-devel] [bug #48476] TCP sent callback called wrongly due to picking up old pcb->acked
Index(es):
- Date
- Thread