[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #48506] Possible crash when TCP poll callback results
From: |
Ambroz Bizjak |
Subject: |
[lwip-devel] [bug #48506] Possible crash when TCP poll callback results in ERR_ABRT |
Date: |
Wed, 13 Jul 2016 23:10:24 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
URL:
<http://savannah.nongnu.org/bugs/?48506>
Summary: Possible crash when TCP poll callback results in
ERR_ABRT
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: abizjak
Submitted on: Wed 13 Jul 2016 11:10:21 PM GMT
Category: TCP
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
While reading the code I found this issue: in tcp_slowtmr(), if TCP_EVENT_POLL
results in ERR_ABRT, the "prev" PCB will have been deallocated, but "prev" is
left unchanged and potentially used in the next iterations of the loop for
removing PCBs from the active list. Note the comments acknowledge the
possibility of "prev" retiring but its subsequent use is not considered.
} else {
/* get the 'next' element now and work with 'prev' below (in case of
abort) */
prev = pcb;
pcb = pcb->next;
/* We check if we should poll the connection. */
++prev->polltmr;
if (prev->polltmr >= prev->pollinterval) {
prev->polltmr = 0;
LWIP_DEBUGF(TCP_DEBUG, ("tcp_slowtmr: polling application\n"));
tcp_active_pcbs_changed = 0;
TCP_EVENT_POLL(prev, err);
if (tcp_active_pcbs_changed) {
goto tcp_slowtmr_start;
}
/* if err == ERR_ABRT, 'prev' is already deallocated */
if (err == ERR_OK) {
tcp_output(prev);
}
}
}
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 13 Jul 2016 11:10:21 PM GMT Name: prev.patch Size: 2kB By:
abizjak
Possible fix - untested, no warranty :)
<http://savannah.nongnu.org/bugs/download.php?file_id=37866>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?48506>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #48506] Possible crash when TCP poll callback results in ERR_ABRT,
Ambroz Bizjak <=