[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #54744] if altcp_close() called from recv() callback,
From: |
David GIRAULT |
Subject: |
[lwip-devel] [bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory |
Date: |
Thu, 27 Sep 2018 11:07:38 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 |
URL:
<https://savannah.nongnu.org/bugs/?54744>
Summary: if altcp_close() called from recv() callback, there
is some write to freed memory
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: dgirault
Submitted on: Thu 27 Sep 2018 03:07:36 PM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
When altcp_close() is called from the recv() handler installed by application
for an altcp mbedtls socket, the following problem occurs:
- in altcp_mbedtls_pass_rx_data(), state isn't valid anymore after
conn->recv() call, so it must not write null to state->rx_app.
- in altcp_mbedtls_handle_rx_appldata(), which call
altcp_mbedtls_pass_rx_data(), state may not be valid after this call. So loop
must be breaked.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?54744>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [lwip-devel] [bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory,
David GIRAULT <=