[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment
From: |
Joel Cunningham |
Subject: |
[lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption |
Date: |
Fri, 15 Dec 2017 13:32:30 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 |
URL:
<http://savannah.nongnu.org/bugs/?52676>
Summary: tcp: pcb->unsent_oversize not cleared segment split
leading to memory corruption
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: jcunningham
Submitted on: Fri 15 Dec 2017 06:32:28 PM UTC
Category: TCP
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: In Progress
Privacy: Public
Assigned to: jcunningham
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
I found a bug in tcp_split_unsent_seg() where if there is a single oversized
segment being split, pcb->unsent_oversize is not cleared, leading to memory
corruption if tcp_write is called before the remainder of the split is sent
via tcp_output().
Just as a refresher, the split is accomplished by calling pbuf_realloc() on
the head to shrink it to the split size, then a new pbuf (of exact size) is
allocated for the remainder and added after the head.
I updated the test_tcp_persist_split unit test to explicitly check for this
case.
Just wanted a RFC on this fix before pushing it. I haven't worked as much
with the oversize feature, so I wanted to make sure I have a correct
understanding
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 15 Dec 2017 06:32:28 PM UTC Name:
0001-tcp-clear-unsent_oversize-during-segment-split.patch Size: 6KiB By:
jcunningham
<http://savannah.nongnu.org/bugs/download.php?file_id=42658>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?52676>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption,
Joel Cunningham <=