Re: [lwip-devel] Bad memory ref in tcp_input() after tcp

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close()

From:	Per Ekman
Subject:	Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close()
Date:	Wed, 22 Jan 2014 09:30:33 +0100
User-agent:	Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux)

Ping? I would have entered this as a bug but I could not
get the Savannah login to work.

Per Ekman <address@hidden> writes:

> Hello,
>
> I've observed the following with the rawapi in lwip 1.4.1 :
>
> - tcp_input():356 calls the application receive callback on a pcb
> which is in CLOSE_WAIT. 
>
> - The application receive callback calls tcp_close()
>
> - tcp_close_shutdown() sees that the pcb is in CLOSE_WAIT and that
>   pcb->rcv_wnd != TCP_WND which causes it to free the pcb
>   and return ERR_OK
>
> - The application receive callback returns ERR_OK to tcp_input()
>   which proceeds to dereference the freed pcb and passes it to
>   tcp_output() (tcp_input():386)
>
> I'm testing the following fix. I'd appreciate feedback if this is the
> way to go or not.
>
> Sincerely
> Per Ekman
> H&D Wireless AB
>
>
> From 147c37d9d43a496669092c1fc2febe7aaf5fe3df Mon Sep 17 00:00:00 2001
> From: Per Ekman <address@hidden>
> Date: Fri, 5 Jul 2013 12:52:32 +0200
> Subject: [PATCH 1/1] Attempt to fix invalid pcb free in tcp_close().
>
> ---
>  src/core/tcp.c |   11 ++++++++---
>  1 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/src/core/tcp.c b/src/core/tcp.c
> index 8690cd2..b4bd896 100644
> --- a/src/core/tcp.c
> +++ b/src/core/tcp.c
> @@ -185,15 +185,14 @@ tcp_close_shutdown(struct tcp_pcb *pcb, u8_t 
> rst_on_unacked_data)
>        tcp_rst(pcb->snd_nxt, pcb->rcv_nxt, &pcb->local_ip, &pcb->remote_ip,
>                 pcb->local_port, pcb->remote_port, PCB_ISIPV6(pcb));
>  
> +      if (pcb->state == CLOSE_WAIT)
> +              return ERR_OK;
>        tcp_pcb_purge(pcb);
>        TCP_RMV_ACTIVE(pcb);
>        if (pcb->state == ESTABLISHED) {
>          /* move to TIME_WAIT since we close actively */
>          pcb->state = TIME_WAIT;
>          TCP_REG(&tcp_tw_pcbs, pcb);
> -      } else {
> -        /* CLOSE_WAIT: deallocate the pcb since we already sent a RST for it 
> */
> -        memp_free(MEMP_TCP_PCB, pcb);
>        }
>        return ERR_OK;
>      }
> @@ -913,6 +912,12 @@ tcp_slowtmr_start:
>          }
>        }
>      }
> +    if (pcb->state == CLOSE_WAIT) {
> +      if (pcb->flags & TF_RXCLOSED) {
> +          ++pcb_remove;
> +          LWIP_DEBUGF(TCP_DEBUG, ("tcp_slowtmr: removing pcb in 
> CLOSE_WAIT\n"));
> +      }
> +    }
>      /* Check if this PCB has stayed too long in FIN-WAIT-2 */
>      if (pcb->state == FIN_WAIT_2) {
>        /* If this PCB is in FIN_WAIT_2 because of SHUT_WR don't let it time 
> out. */
> -- 
> 1.7.0.4

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close(), Per Ekman <=
- Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close(), Valery Ushakov, 2014/01/22
  - Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close(), address@hidden, 2014/01/22
    - Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close(), Per Ekman, 2014/01/23
  - Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close(), Per Ekman, 2014/01/23
    - Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close(), Valery Ushakov, 2014/01/24

Prev by Date: [lwip-devel] [patch #7993] Add support for transmitting packets with VLAN headers
Next by Date: Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close()
Previous by thread: [lwip-devel] [patch #7920] thread-safe dhcp calls from api
Next by thread: Re: [lwip-devel] Bad memory ref in tcp_input() after tcp_close()
Index(es):
- Date
- Thread