[lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes

[chrysn]

URL:
  <http://savannah.nongnu.org/bugs/?50040>

                 Summary: pbuf_alloc(..., 65534, PBUF_RAM) succedes
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: chrysn
            Submitted on: Thu 12 Jan 2017 05:56:20 PM GMT
                Category: None
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

When very large memory allocations are requested from pbuf_alloc in the RAM
area, the allocations succede; this usually runs like this:

* Application has an integer underflow in size calculation, resulting in a
length request of 65534 (= -2 mod 16)
* The application requests a RAM pbuf.
* pbuf_alloc adds (aligned) `SIZEOF_STRUCT_PBUF + offset` to the length
without checking for overflows
* pbuf_alloc requests a few bytes of memory from mem_malloc, which succedes
* The buffer is constructed with the originally requested length as .len
* The application happily populates the buffer, overwriting memory that is not
even owned by mem_malloc

This typical situation described above could be argued to be the application's
fault, but applications should be allowed to rely on pbuf_alloc to request any
16bit size; if lwIP's required pbuf and offset sizes would make this overflow,
lwIP should return NULL and not a wrongly allocated buffer.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?50040>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/