lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #61666] A memory leak BUG in function tcp_input().


From: xuyao hong
Subject: [lwip-devel] [bug #61666] A memory leak BUG in function tcp_input().
Date: Mon, 13 Dec 2021 06:02:35 -0500 (EST)
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Edg/96.0.1054.53

Follow-up Comment #1, bug #61666 (project lwip):

//tcp_appcode.c

static err_t app_cb_accept(void* arg, struct tcp_pcb* pcb, err_t err)
{
  ...
  tcp_sent(pcb, app_cb_sent);
  ...
}
static err_t app_cb_sent(void* arg, struct tcp_pcb* pcb, u16_t len)
{
  ...
  tcp_close(pcb);
  ...
  return ERR_OK;
}

//tcp_in.c
//当tcp_input()接收到同时包含PSH+ACK标志的TCP报文,那么将会执行以下流程:
tcp_input(struct pbuf *p)
{
  if (pcb != NULL) {
    ...
    inseg.p = p;
    recv_data = NULL;
    recv_acked = 0;

    ...
    tcp_process(pcb);
    if (err != ERR_ABRT) {
      if (recv_flags & TF_RESET) {
        ...
      } else {
        ...
        if (recv_acked > 0) {
          ...
          // 到这里,大概率是recv_data==p,并且inseg.p==NULL。
          TCP_EVENT_SENT(pcb, (u16_t)acked16, err); /* 回调app_cb_sent() */
          //
只要在app_cb_sent()中执行下面其中一种逻辑,即可触发pbuf泄露:
          // [1] call tcp_close() and return ERR_OK,
          // [2] call tcp_abort() and return ERR_ABRT.
          if (err == ERR_ABRT) {
            // 此时如果(recv_data != NULL)那么p泄露。
            goto aborted; // ERROR POINT (1)
          }
          ...
        }
        if (tcp_input_delayed_close(pcb)) {
          // 此时如果(recv_data != NULL)那么p泄露。
          goto aborted;   // ERROR POINT (2)
        }
        ...
      }
    }
aborted:
    tcp_input_pcb = NULL;
    recv_data = NULL;
    if (inseg.p != NULL) {
      pbuf_free(inseg.p);
      inseg.p = NULL;
    }
  }
  ...
}




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?61666>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]