R: RE : [lwip-users] Ping target ip address with a packet data bigthan 1

Hi,

I have encountered your same problem.

I made a little change at the function pbuf_alloc() (pbuf.c file):

Original (1.2.0 version), line 254:

/* make the payload pointer point 'offset' bytes into pbuf data memory */

p->payload = MEM_ALIGN((void *)((u8_t *)p + (sizeof(struct pbuf) + offset)));

LWIP_ASSERT("pbuf_alloc: pbuf p->payload properly aligned",

((mem_ptr_t)p->payload % MEM_ALIGNMENT) == 0);

/* the total length of the pbuf chain is the requested size */

p->tot_len = length;

/* set the length of the first pbuf in the chain */

p->len = length > PBUF_POOL_BUFSIZE - offset? PBUF_POOL_BUFSIZE - offset: length;

/* set reference count (needed here in case we fail) */

p->ref = 1;

After the change (modified or added lines maked with ‘=>’):

/* make the payload pointer point 'offset' bytes into pbuf data memory */

=> p->payload = MEM_ALIGN((void *)((u8_t *)p + sizeof(struct pbuf)));

=> p->payload = MEM_ALIGN((void *)((u8_t *)p->payload + offset));

=> offset = (u8_t *) p->payload - (u8_t *)MEM_ALIGN((void *)((u8_t *)p + sizeof(struct pbuf)));

LWIP_ASSERT("pbuf_alloc: pbuf p->payload properly aligned",

((mem_ptr_t)p->payload % MEM_ALIGNMENT) == 0);

/* the total length of the pbuf chain is the requested size */

p->tot_len = length;

/* set the length of the first pbuf in the chain */

p->len = length > PBUF_POOL_BUFSIZE - offset? PBUF_POOL_BUFSIZE - offset: length;

/* set reference count (needed here in case we fail) */

p->ref = 1;

In my opinion in the original version the value assigned to p->len can be too large (p->payload + p->len > p->next) and can cause writing, and corruption, of data located at address beyond the top border of the allocated pbuf.

Now it work.

I am not a lwIP expert so I cannot guarantee if this modify work on cases different from mine.

Regards,

Danilo

Da: address@hidden [mailto:address@hidden Per conto di address@hidden
Inviato: venerdì 23 novembre 2007 4.27
A: Mailing list for lwIP users
Oggetto: Re:RE : [lwip-users] Ping target ip address with a packet data bigthan 1500

Thanks for your reply,
my target board just set up a netif with ip adress 192.168.2.13, then,PC ping target board with command:

ping 192.168.2.13 -l 1400

lwip debug imformation is:

pbuf_alloc(length=1442)
pbuf_alloc: allocated pbuf 00209568
pbuf_alloc(length=1442) == 00209568
tcpip_thread: PACKET 00208400
etharp_ip_input: updating ETHARP table.
update_arp_entry()
update_arp_entry: 192.168.2.164 - 00:19:db:56:f1:83
update_arp_entry: updating stable entry 1
pbuf_header: old 00209578 new 00209586 (-14)
ip_input: iphdr->dest 0xd02a8c0 netif->ip_addr 0xd02a8c0 (0x2a8c0,

0x2a8c0, 0xd000000)
ip_input: packet accepted on interface en
ip_input:
IP header:
+-------------------------------+
| 4 | 5 | 0x00 |      1428     | (v, hl, tos, len)
+-------------------------------+
|    55086      |000|       0   | (id, flags, offset)
+-------------------------------+
|   64 |    1 |    0x1839     | (ttl, proto, chksum)
+-------------------------------+
| 192 | 168 |    2 | 164 | (src)
+-------------------------------+
| 192 | 168 |    2 |   13 | (dest)
+-------------------------------+
ip_input: p->len 114 p->tot_len 1428
pbuf_header: old 00209586 new 0020959a (-20)
icmp_input: ping
pbuf_header: old 0020959a new 00209578 (34)
pbuf_header: old 00209578 new 0020959a (-34)
pbuf_header: old 0020959a new 00209586 (20)
ip_output_if: en0
IP header:
+-------------------------------+
| 4 | 5 | 0x00 |      1428     | (v, hl, tos, len)
+-------------------------------+
|    55086      |000|       0   | (id, flags, offset)
+-------------------------------+
| 255 |    1 |    0x5938     | (ttl, proto, chksum)
+-------------------------------+
| 192 | 168 |    2 |   13 | (src)
+-------------------------------+
| 192 | 168 |    2 | 164 | (dest)
+-------------------------------+
netif->output()pbuf_header: old 00209586 new 00209578 (14)
etharp_query: sending packet 00209568
pbuf_free(00209568)
pbuf_free: deallocating 00209568
pbuf_free: deallocating 00209644
pbuf_free: deallocating 00209720
pbuf_free: deallocating 002097fc
pbuf_free: deallocating 002098d8
pbuf_free: deallocating 002099b4
pbuf_free: deallocating 00209a90
pbuf_free: deallocating 00209b6c
pbuf_free: deallocating 00209c48
pbuf_free: deallocating 00209d24
pbuf_free: deallocating 00209e00
pbuf_free: deallocating 00209edc

when command is:

ping 192.168.2.13 -l 1500

debug information is:

pbuf_alloc(length=1514)
pbuf_alloc: allocated pbuf 00209e00
pbuf_alloc(length=1514) == 00209e00
pbuf_alloc(length=62)
pbuf_alloc: allocated pbuf 0020948c
pbuf_alloc(length=62) == 0020948c
tcpip_thread: PACKET 002083c0
etharp_ip_input: updating ETHARP table.
update_arp_entry()
update_arp_entry: 192.168.2.164 - 00:19:db:56:f1:83
update_arp_entry: updating stable entry 1
pbuf_header: old 00209e10 new 00209e1e (-14)

then, it doesn't works!

在2007-11-22，"Frédéric BERNON" <address@hidden> 写道：

Hi,

Thank you to report these little problems. I just fix 1), 2) and 3).

About 4), when you said a "1500 data packet", do you talk about the ICMP payload, or the whole frame ? (perhaps post a capture file to be sure).

I remember there was a change on ICMP processing for such case. I will take a look this evening...

====================================
Frédéric BERNON
HYMATOM SA
Chef de projet informatique
Microsoft Certified Professional
Tél. : +33 (0)4-67-87-61-10
Fax. : +33 (0)4-67-70-85-44
Email : address@hiddenr
Web Site : http://www.hymatom.fr
====================================

P Avant d'imprimer, penser à l'environnement

-----Message d'origine-----
De : lwip-users-bounces+frederic.bernon=address@hidden [mailto:lwip-users-bounces+frederic.bernon=address@hidden] De la part de embed9527
Envoyé : jeudi 22 novembre 2007 03:39
À : address@hidden
Objet : [lwip-users] Ping target ip address with a packet data big than 1500

Hello everybody,

First of all, I am sorry to tell you my poor English skills.

Therefore, if the _expression_ unclear where to pay more attention to understanding.

I'm using lwip with cvs head updated daily, and I have some some issues of concern:

1)、File init.c line 100-105, it lost two ", but it hasn't any error or warning when

    compiler.

2)、File init.c line 124, it uses DHCP_AUTOIP_COOP, maybe it is a error, I change it

   with LWIP_DHCP_AUTOIP_COOP.

3)、File init.c line 143, it uses LWIP_PPP, but not define anywhere. I change it with

    PPP_SUPPORT.

4)、When I ping target with a 1500-data packet, lwip then dies and doesn't work anymore.

Thanks.

From:	Bessone Danilo
Subject:	R: RE : [lwip-users] Ping target ip address with a packet data bigthan 1500
Date:	Fri, 23 Nov 2007 10:38:42 +0100