lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #51597] ip4_reass: Last fragment is assumed to have ar


From: Ambroz Bizjak
Subject: [lwip-devel] [bug #51597] ip4_reass: Last fragment is assumed to have arrived even if it was discarded
Date: Thu, 27 Jul 2017 19:24:29 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

URL:
  <http://savannah.nongnu.org/bugs/?51597>

                 Summary: ip4_reass: Last fragment is assumed to have arrived
even if it was discarded
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: abizjak
            Submitted on: Thu 27 Jul 2017 11:24:28 PM UTC
                Category: IPv4
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:


When a fragment with MF=0 is received, IP_REASS_FLAG_LASTFRAG is set:

http://git.savannah.gnu.org/cgit/lwip.git/tree/src/core/ipv4/ip4_frag.c?id=925f3944d3d9de6e730f6d0738844f339ce9e35c#n591

Then the same fragment may be discarded in various places within
ip_reass_chain_frag_into_datagram_and_validate (goto freepbuf), for example
because it overlaps with existing fragments.

Later another fragment with MF=1, be inserted to the end, the reassembly may
be considered completed because there are no gaps at the start and between
fragments and the last fragment has supposedly arrived (IP_REASS_FLAG_LASTFRAG
was set). Then the assert at line 468 would fail since the end of the last
fragment in the chain would not match the datagram_len remembered.

There is a similar issue if a fragment with MF=0 is received which has smaller
end than a previously received fragment with MF=0. Then datagram_len would be
lowered and the mentioned assert would fail when reassembly is considered
complete since the former fragment (which now has end greater than
datagram_len) would still be in the chain.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?51597>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]