[lwip-users] Fragmented Ping of Death

[RC Buchanan]

Hello -

I'm working on a LwIP/FreeRTOS/Cortex-M7 system which has been
generally very solid, but noticed I'm crashing the processor with a 5
fragment ping ("ping 192.168.1.112 -s 5913 -c 1"). If there are 4 or
fewer fragments, it works fine ("ping 192.168.1.112 -s 5912 -i 0.1").

I was poking around in the debugger and it's telling me that the crash
is happening in around in "ip_reass_free_complete_datagram"...

As I understand it, this function ought to be cleaning up the fragments
of the ping, but it appears to be freeing the wrong datagram. When I
set a breakpoint on ip_reass_free_complete_datagram and run:

> (gdb) x /32xb ipr->p->payload

I see data for an ARP request that my PC sent 5 seconds after the 
original ping. It seems like this is what's triggering the crash, since
the logic is treating this payload as a struct and trying to extract
the "next_pbuf" from it.

I'm running STABLE-2_1_2_RELEASE, but I see the same with the latest
checkout of master.

Any advice on how to proceed here would be very much appreciated!

Thanks,
Robert