[lwip-devel] [bug #48506] Possible crash when TCP poll callback results

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #48506] Possible crash when TCP poll callback results

From:	Ambroz Bizjak
Subject:	[lwip-devel] [bug #48506] Possible crash when TCP poll callback results in ERR_ABRT
Date:	Wed, 13 Jul 2016 23:10:24 +0000 (UTC)
User-agent:	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

URL:
  <http://savannah.nongnu.org/bugs/?48506>

                 Summary: Possible crash when TCP poll callback results in
ERR_ABRT
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: abizjak
            Submitted on: Wed 13 Jul 2016 11:10:21 PM GMT
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

While reading the code I found this issue: in tcp_slowtmr(), if TCP_EVENT_POLL
results in ERR_ABRT, the "prev" PCB will have been deallocated, but "prev" is
left unchanged and potentially used in the next iterations of the loop for
removing PCBs from the active list. Note the comments acknowledge the
possibility of "prev" retiring but its subsequent use is not considered.


    } else {
      /* get the 'next' element now and work with 'prev' below (in case of
abort) */
      prev = pcb;
      pcb = pcb->next;

      /* We check if we should poll the connection. */
      ++prev->polltmr;
      if (prev->polltmr >= prev->pollinterval) {
        prev->polltmr = 0;
        LWIP_DEBUGF(TCP_DEBUG, ("tcp_slowtmr: polling application\n"));
        tcp_active_pcbs_changed = 0;
        TCP_EVENT_POLL(prev, err);
        if (tcp_active_pcbs_changed) {
          goto tcp_slowtmr_start;
        }
        /* if err == ERR_ABRT, 'prev' is already deallocated */
        if (err == ERR_OK) {
          tcp_output(prev);
        }
      }
    }



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 13 Jul 2016 11:10:21 PM GMT  Name: prev.patch  Size: 2kB   By:
abizjak
Possible fix - untested, no warranty :)
<http://savannah.nongnu.org/bugs/download.php?file_id=37866>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48506>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #48506] Possible crash when TCP poll callback results in ERR_ABRT, Ambroz Bizjak <=
- [lwip-devel] [bug #48506] Possible crash when TCP poll callback results in ERR_ABRT, Ambroz Bizjak, 2016/07/16
  - [lwip-devel] [bug #48506] Possible crash when TCP poll callback results in ERR_ABRT, Simon Goldschmidt, 2016/07/19

Prev by Date: [lwip-devel] [bug #48504] tcp_debug_print_pcbs reads nonexisting tcp_pcb fields
Next by Date: [lwip-devel] [bug #48503] tcp_abandon() on CLOSED unbound PCB tries to remove it from tcp_active_pcbs
Previous by thread: [lwip-devel] [bug #48504] tcp_debug_print_pcbs reads nonexisting tcp_pcb fields
Next by thread: [lwip-devel] [bug #48506] Possible crash when TCP poll callback results in ERR_ABRT
Index(es):
- Date
- Thread