|
| From: | Ambroz Bizjak |
| Subject: | [lwip-devel] [bug #48539] Possible crash when packet received in SYN_SENT state |
| Date: | Sun, 17 Jul 2016 09:44:57 +0000 (UTC) |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
URL:
<http://savannah.nongnu.org/bugs/?48539>
Summary: Possible crash when packet received in SYN_SENT
state
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: abizjak
Submitted on: Sun 17 Jul 2016 09:44:55 AM GMT
Category: TCP
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
While looking at the code I see a hazard in the tcp_process() SYN_SENT case
when accessing pcb->unacked->tcphdr->seqno.
The pcb->unacked could be NULL, I think in the following cases:
(1) tcp_output() in tcp_connect() failed to output the segment; the segment
has never been put into unacked.
(2) tcp_output() in tcp_rexmit_rto() failed to output the segment; the segment
has been moved back to unsent and stayed there.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?48539>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |