lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-devel] IPv6 and 1.5.0

From: Sylvain Rochet
Subject: Re: [lwip-devel] IPv6 and 1.5.0
Date: Wed, 18 Mar 2015 22:42:04 +0100
User-agent: Mutt/1.5.21 (2010-09-15) 
Hello Ivan,

On Wed, Mar 18, 2015 at 09:46:45PM +0100, Sylvain Rochet wrote:
> Hello Ivan,
> 
> On Wed, Mar 18, 2015 at 02:23:02PM -0600, Ivan Delamer wrote:
> > I've worked a little bit on open IPv6 bugs. I don't think we have
> > any showstoppers left.
> 
> I'm having SIGSEGV on HEAD, bisected to bc08c1d2b7. I'm looking into it,
> but this is an heisenbug, it disappear when I am using gdb on it :-)

Humm, gotcha I guess. I don't understand nd6_send_rs() buffer size 
calculation.

lladdr_opt_len = ((netif->hwaddr_len + 2) >> 3) + (((netif->hwaddr_len + 2) & 
0x07) ? 1 : 0);

For ethernet, that's: (6+2)/8+(6+2)%8 = 1

p = pbuf_alloc(PBUF_IP, sizeof(struct rs_header) + lladdr_opt_len, PBUF_RAM);

sizeof(struct rs_header) = 8

sizeof(struct rs_header) + lladdr_opt_len = 9



  /* Set fields. */
  rs_hdr = (struct rs_header *)p->payload;

  rs_hdr->type = ICMP6_TYPE_RS;
  rs_hdr->code = 0;
  rs_hdr->chksum = 0;
  rs_hdr->reserved = 0;


ok!


  if (src_addr != IP6_ADDR_ANY) {
    /* Include our hw address. */
    lladdr_opt = (struct lladdr_option *)((u8_t*)p->payload + sizeof(struct 
rs_header));
    lladdr_opt->type = ND6_OPTION_TYPE_SOURCE_LLADDR;
    lladdr_opt->length = lladdr_opt_len;
    SMEMCPY(lladdr_opt->addr, netif->hwaddr, netif->hwaddr_len);
  }

lladdr_opt is out of bound isn't it ?  We only allocated 9 bytes, looks like
we need to allocate sizeof(struct rs_header) + sizeof(struct 
lladdr_option) instead, but I am not sure.


Sylvain

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]