lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #54744] if altcp_close() called from recv() callback,


From: David GIRAULT
Subject: [lwip-devel] [bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory
Date: Thu, 27 Sep 2018 11:07:38 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

URL:
  <https://savannah.nongnu.org/bugs/?54744>

                 Summary: if altcp_close() called from recv() callback, there
is some write to freed memory
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: dgirault
            Submitted on: Thu 27 Sep 2018 03:07:36 PM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

When altcp_close() is called from the recv() handler installed by application
for an altcp mbedtls socket, the following problem occurs:

- in altcp_mbedtls_pass_rx_data(), state isn't valid anymore after
conn->recv() call, so it must not write null to state->rx_app.

- in altcp_mbedtls_handle_rx_appldata(), which call
altcp_mbedtls_pass_rx_data(), state may not be valid after this call. So loop
must be breaked.






    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54744>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]