Re: [lwip-devel] use-after-free caused by tcp_input_delayed_close

[Michael Zimmermann]

I'm using espressif's modified version of LWIP for the esp32 which is based on 2.0.3.

I could however reproduce this issue using the latest master branch of lwip and the linux port.

Also it looks like the code in question was added in 2012 and has never been changed that much.

To be more specific, it got introduced in this commit: http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=13075460ea10c2902ea2055d18bbcfa73cec8523

and the questionable condition is in the following line today:

http://git.savannah.nongnu.org/cgit/lwip.git/tree/src/core/tcp_in.c?id=master#n607

The problem does seem to go away if I just unconditionally call TCP_EVENT_ERR, but I'm not sure if that is the correct solution or if this would have unwanted side effects.

If you need to be able to reproduce this I'll happily upload sample code for both the client and the server side.

Thanks
Michael Zimmermann

On Thu, Jan 24, 2019 at 8:37 PM address@hidden <address@hidden> wrote:

Am 24.01.2019 um 10:01 schrieb Michael Zimmermann:
> Hi,
>
> I'm running a tcp server using LWIP and upon termination of the
> connection, both sides do a "shutdown(sock, SHUT_WR)", wait for recv to
> return 0, call "shutdown(sock, SHUT_RDWR)", call "close(sock)".

Which version of lwIP are you using? If this problem persists with
current git master (maybe it's enough to compare the code?), could you
please file a bug report to ensure this doesn't get lost?

Thanks,
Simon


> The bug occurs in form of a race condition:
> - the lwip server calls SHUT_WR
> - the client calls SHUT_WR, once lwip saw this, it sets TF_RXCLOSED in
> "pcb->flags"
> - the client closes the connection, lwip sees this, adds TF_CLOSED to
> recv_flags, and then deletes the pcb within "tcp_input_delayed_close".
>
> The problem here is that "tcp_input_delayed_close" only calls the
> "pcb->errf" callback on this condition:
> "if (!(pcb->flags & TF_RXCLOSED))"
>
> I don't really know why that was done in first place, but because of
> this, the pcb gets freed without notifying the user(which would set
> conn->pcb.tcp to NULL) in case the RX side was closed already.
>
> On the next call to shutdown or close, this results in use-after-free.
>
> I'm posting this to the mailing list first instead of the bug tracker to
> discuss the intention behind the condition and to come up with a proper
> solution.
>
> Thanks
> Michael Zimmermann
>
> IOTΛ Data Marketplace Member· MS Azure IoT Gold Partner · Apple MFi
> Developer · Bluetooth SIG · zigbee Alliance · LoRa Alliance · Thread Group
>
> grandcentrix GmbH · Holzmarkt 1 · 50676 Köln · Deutschland
> | t <https://twitter.com/grandcentrix> | f
> <https://www.facebook.com/GrandCentrix/> | in
> <https://www.linkedin.com/company/grandcentrix> | phone:
> +49-221-677-860-0 | email: address@hidden
> <mailto:address@hidden>
>
> Amtsgericht Köln | HRB  70119 | Geschäftsführer: R. Rottmann, M. Willnow
> | USt.-IdNr.: DE266333969
>
> _______________________________________________
> lwip-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>


_______________________________________________
lwip-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/lwip-devel

IOTΛ Data Marketplace Member · MS Azure IoT Gold Partner · Apple MFi Developer · Bluetooth SIG · zigbee Alliance · LoRa Alliance · Thread Group

grandcentrix GmbH · Holzmarkt 1 · 50676 Köln · Deutschland

| t | f | in | phone: +49-221-677-860-0 | email: address@hidden

Amtsgericht Köln | HRB  70119 | Geschäftsführer: R. Rottmann, M. Willnow | USt.-IdNr.: DE266333969