[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-users] Re: [lwip] Bug in pbuf_header() [patch]
From: |
Adam Dunkels |
Subject: |
[lwip-users] Re: [lwip] Bug in pbuf_header() [patch] |
Date: |
Wed, 08 Jan 2003 23:34:38 -0000 |
Hi Duncan!
Thanks!
/adam
On Thu, 2002-08-01 at 13:12, Duncan Palmer wrote:
> The other day we discovered that using the sockets interface with UDP
> connections doesn't work too well... a little bit of digging has revealed the
> problem is caused by the way pbuf_header() works. If a pbuf is of type
> PBUF_ROM, its payload was not allocated by lwip, and so messing with the
> payload pointer, as pbuf_header() does, to add space for headers is
> dangerous.
>
> What is happening in our case is that I call lwip_send() on a UDP socket.
> This results in a pbuf flagged as PBUF_ROM being allocated, its payload
> pointer pointing to the data I want to send. udp_send() calls pbuf_header()
> to adjust the payload pointer so it can fit in a UDP header. The test in
> pbuf_header():
>
> if((u8_t *)p->payload < (u8_t *)p + sizeof(struct pbuf))
>
> doesn't pick up on anything being wrong because the payload has a much higher
> address than the pbuf, and so udp_send() happily goes off and overwrites
> whatever came before my payload.
>
> I've attached a patch against the latest CVS which adds a check for pbufs of
> type PBUF_ROM in pbuf_header() to fix this...
>
> Dunk
>
> ----
>
> --- lwip-cvs-20020529/src/core/pbuf.c Wed May 29 15:00:16 2002
> +++ tcpip/src/core/pbuf.c Thu Aug 1 11:31:38 2002
> @@ -443,6 +443,10 @@
> {
> void *payload;
>
> + /* If the payload wasn't allocated by lwip, we can't mess with it */
> + if (p->flags & PBUF_FLAG_ROM)
> + return -1;
> +
> payload = p->payload;
> p->payload = (u8_t *)p->payload - header_size/sizeof(u8_t);
>
--
Adam Dunkels <address@hidden>
http://www.dunkels.com/adam/
[This message was sent through the lwip discussion list.]