[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #15659] IP fragmentation and reassembly crashes
|
From: |
Jon Chiang |
|
Subject: |
[lwip-devel] [bug #15659] IP fragmentation and reassembly crashes |
|
Date: |
Mon, 13 Nov 2006 02:49:16 +0000 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.8.1) Gecko/20061010 Firefox/2.0 |
Follow-up Comment #4, bug #15659 (project lwip):
The root caused is MEM_ALIGN using incorrectly in pbu_alloc for POOL case.
When the offset is PBUF_LINK:14 that out of MEM_ALIGN:4, the pbuf->len would
be assigned a value which cause the p->payload + p->len out of the current
pbuf size, and return to ip_frag()
the memcpy() overwrite the pbuf pool then the data abort exception occurs!
The statement below is my solution to fix this bug.
/* make the payload pointer point 'offset' bytes into pbuf data memory */
p->payload = MEM_ALIGN((void *)((u8_t *)p + (sizeof(struct pbuf) +
offset)));
LWIP_ASSERT("pbuf_alloc: pbuf p->payload properly aligned",
((mem_ptr_t)p->payload % MEM_ALIGNMENT) == 0);
/* the total length of the pbuf chain is the requested size */
p->tot_len = length;
/* set the length of the first pbuf in the chain */
pbuf_end = (u32)p + sizeof(struct pbuf) + PBUF_POOL_BUFSIZE;
p->len = length > pbuf_end - (u32)p->payload ? pbuf_end - (u32)p->payload
:
length;
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?15659>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #15659] IP fragmentation and reassembly crashes,
Jon Chiang <=