[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [lwip-users] tcp_enqueue - bug

From: Jan Ulvesten
Subject: RE: [lwip-users] tcp_enqueue - bug
Date: Thu, 17 Mar 2005 10:41:20 +0100


You're right. Thanks!

'queue' might be referenced before it is initialized.

I changed:
struct tcp_seg *seg, *useg, *queue;

struct tcp_seg *seg, *useg, *queue=NULL;

Anyway, I managed to solve the routing of data from ppp to Ethernet in a
temporary ways by adder 6 bytes of "secret" space to every pbuf (in the
def) and then memmove payload when routing ppp packets onto Ethernet. 

Jan Ulvesten
Senior Software Engineer
Tel   +47 72 89 56 55
Fax  +47 72 89 56 51
Mob +47 416 62 033
-----Original Message-----
From: address@hidden
Sent: 16. mars 2005 23:38
To: address@hidden
Subject: [lwip-users] tcp_enqueue - bug

I found bug in tcp_enqueue.

I'am using LWIP 1.1.0

we have following:

tcp_enqueue(struct tcp_pcb *pcb, void *arg, u16_t len,
  u8_t flags, u8_t copy,
  u8_t *optdata, u8_t optlen)
  struct pbuf *p;
  struct tcp_seg *seg, *useg, *queue;
  u32_t left, seqno;
  u16_t seglen;
  void *ptr;
  u8_t queuelen;

  LWIP_DEBUGF(TCP_OUTPUT_DEBUG, ("tcp_enqueue(pcb=%p, arg=%p, len=%u,
flags=%x, copy=%u)\n",
    (void *)pcb, arg, len, (unsigned int)flags, (unsigned int)copy));
  LWIP_ASSERT("tcp_enqueue: len == 0 || optlen == 0 (programmer violates
      len == 0 || optlen == 0);
  LWIP_ASSERT("tcp_enqueue: arg == NULL || optdata == NULL (programmer
violates API)",
      arg == NULL || optdata == NULL);
  /* fail on too much data */
  if (len > pcb->snd_buf) {
    LWIP_DEBUGF(TCP_OUTPUT_DEBUG | 3, ("tcp_enqueue: too much data
> snd_buf=%u)\n", len, pcb->snd_buf));
    return ERR_MEM;
  left = len;
  ptr = arg;

  /* seqno will be the sequence number of the first segment enqueued
   * by the call to this function. */
  seqno = pcb->snd_lbb;

  LWIP_DEBUGF(TCP_QLEN_DEBUG, ("tcp_enqueue: queuelen: %u\n", (unsigned

  /* If total number of pbufs on the unsent/unacked queues exceeds the
   * configured maximum, return an error */
  queuelen = pcb->snd_queuelen;
  if (queuelen >= TCP_SND_QUEUELEN) {
    LWIP_DEBUGF(TCP_OUTPUT_DEBUG | 3, ("tcp_enqueue: too long queue %u
(max %u)\n", queuelen, TCP_SND_QUEUELEN));
     goto memerr;


and later:

return ERR_OK;

  if (queue != NULL) {
  if (pcb->snd_queuelen != 0) {
    LWIP_ASSERT("tcp_enqueue: valid queue length", pcb->unacked != NULL
      pcb->unsent != NULL);
  LWIP_DEBUGF(TCP_QLEN_DEBUG | DBG_STATE, ("tcp_enqueue: %d (with mem
err)\n", pcb->snd_queuelen));
  return ERR_MEM;

Problem is raising when "queuelen >= TCP_SND_QUEUELEN"  is true.

We jump to "memerr:" label and as You see, queue variable is not set, so
we try to free it. And that hangs up stack.

lwip-users mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]