[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [lwip-users] tcp_enqueue - bug
From: |
Jan Ulvesten |
Subject: |
RE: [lwip-users] tcp_enqueue - bug |
Date: |
Thu, 17 Mar 2005 10:41:20 +0100 |
Hi
You're right. Thanks!
'queue' might be referenced before it is initialized.
I changed:
struct tcp_seg *seg, *useg, *queue;
to
struct tcp_seg *seg, *useg, *queue=NULL;
Anyway, I managed to solve the routing of data from ppp to Ethernet in a
temporary ways by adder 6 bytes of "secret" space to every pbuf (in the
def) and then memmove payload when routing ppp packets onto Ethernet.
Jan Ulvesten
Senior Software Engineer
SICOM AS
Tel +47 72 89 56 55
Fax +47 72 89 56 51
Mob +47 416 62 033
-----Original Message-----
From: address@hidden
[mailto:address@hidden
Sent: 16. mars 2005 23:38
To: address@hidden
Subject: [lwip-users] tcp_enqueue - bug
Hello
I found bug in tcp_enqueue.
I'am using LWIP 1.1.0
we have following:
err_t
tcp_enqueue(struct tcp_pcb *pcb, void *arg, u16_t len,
u8_t flags, u8_t copy,
u8_t *optdata, u8_t optlen)
{
struct pbuf *p;
struct tcp_seg *seg, *useg, *queue;
u32_t left, seqno;
u16_t seglen;
void *ptr;
u8_t queuelen;
LWIP_DEBUGF(TCP_OUTPUT_DEBUG, ("tcp_enqueue(pcb=%p, arg=%p, len=%u,
flags=%x, copy=%u)\n",
(void *)pcb, arg, len, (unsigned int)flags, (unsigned int)copy));
LWIP_ASSERT("tcp_enqueue: len == 0 || optlen == 0 (programmer violates
API)",
len == 0 || optlen == 0);
LWIP_ASSERT("tcp_enqueue: arg == NULL || optdata == NULL (programmer
violates API)",
arg == NULL || optdata == NULL);
/* fail on too much data */
if (len > pcb->snd_buf) {
LWIP_DEBUGF(TCP_OUTPUT_DEBUG | 3, ("tcp_enqueue: too much data
(len=%u
> snd_buf=%u)\n", len, pcb->snd_buf));
return ERR_MEM;
}
left = len;
ptr = arg;
/* seqno will be the sequence number of the first segment enqueued
* by the call to this function. */
seqno = pcb->snd_lbb;
LWIP_DEBUGF(TCP_QLEN_DEBUG, ("tcp_enqueue: queuelen: %u\n", (unsigned
int)pcb->snd_queuelen));
/* If total number of pbufs on the unsent/unacked queues exceeds the
* configured maximum, return an error */
queuelen = pcb->snd_queuelen;
if (queuelen >= TCP_SND_QUEUELEN) {
LWIP_DEBUGF(TCP_OUTPUT_DEBUG | 3, ("tcp_enqueue: too long queue %u
(max %u)\n", queuelen, TCP_SND_QUEUELEN));
goto memerr;
}
....
and later:
return ERR_OK;
memerr:
TCP_STATS_INC(tcp.memerr);
if (queue != NULL) {
tcp_segs_free(queue);
}
if (pcb->snd_queuelen != 0) {
LWIP_ASSERT("tcp_enqueue: valid queue length", pcb->unacked != NULL
||
pcb->unsent != NULL);
}
LWIP_DEBUGF(TCP_QLEN_DEBUG | DBG_STATE, ("tcp_enqueue: %d (with mem
err)\n", pcb->snd_queuelen));
return ERR_MEM;
}
Problem is raising when "queuelen >= TCP_SND_QUEUELEN" is true.
We jump to "memerr:" label and as You see, queue variable is not set, so
we try to free it. And that hangs up stack.
_______________________________________________
lwip-users mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/lwip-users