[lwip-users] Re: [lwip] Bug in pbuf_header() [patch]

[Adam Dunkels]

Hi Duncan!

Thanks!

/adam

On Thu, 2002-08-01 at 13:12, Duncan Palmer wrote:
> The other day we discovered that using the sockets interface with UDP 
> connections doesn't work too well... a little bit of digging has revealed the 
> problem is caused by the way pbuf_header() works. If a pbuf is of type 
> PBUF_ROM, its payload was not allocated by lwip, and so messing with the 
> payload pointer, as pbuf_header() does, to add space for headers is 
> dangerous. 
> 
> What is happening in our case is that I call lwip_send() on a UDP socket. 
> This results in a pbuf flagged as PBUF_ROM being allocated, its payload 
> pointer pointing to the data I want to send. udp_send() calls pbuf_header() 
> to adjust the payload pointer so it can fit in a UDP header. The test in 
> pbuf_header():
> 
> if((u8_t *)p->payload < (u8_t *)p + sizeof(struct pbuf)) 
> 
> doesn't pick up on anything being wrong because the payload has a much higher 
> address than the pbuf, and so udp_send() happily goes off and overwrites 
> whatever came before my payload. 
> 
> I've attached a patch against the latest CVS which adds a check for pbufs of 
> type PBUF_ROM in pbuf_header() to fix this...
> 
> Dunk
> 
> ----
> 

> --- lwip-cvs-20020529/src/core/pbuf.c Wed May 29 15:00:16 2002
> +++ tcpip/src/core/pbuf.c     Thu Aug  1 11:31:38 2002
> @@ -443,6 +443,10 @@
>  {
>    void *payload;
>  
> +  /* If the payload wasn't allocated by lwip, we can't mess with it */
> +  if (p->flags & PBUF_FLAG_ROM)
> +      return -1;
> +
>    payload = p->payload;
>    p->payload = (u8_t *)p->payload - header_size/sizeof(u8_t);
>  
-- 
Adam Dunkels <address@hidden>
http://www.dunkels.com/adam/

[This message was sent through the lwip discussion list.]