[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-users] Re: [lwip] ip_input bug
|
From: |
leon . woestenberg |
|
Subject: |
[lwip-users] Re: [lwip] ip_input bug |
|
Date: |
Thu, 09 Jan 2003 00:59:34 -0000 |
Hello Tim,
thanks for the bug report.
The fragment support was only recently added in lwIP, and yes, the DHCP
code was originally based on single pbuf's.
But if you an ideas how to make DHCP less a hack in, I welcome them.
Regards,
Leon.
address@hidden
(Tim Newsham) To: address@hidden
Sent by: cc:
address@hidden Subject: [lwip] ip_input bug
e
18-12-2002 02:57
Please respond to
lwip
Some code from ip_input. There's lots wrong with this:
/* If a DHCP packet has arrived on the interface, we pass it up the
stack regardless of destination IP address. The reason is that
DHCP replies are sent to the IP adress that will be given to this
node (as recommended by RFC 1542 section 3.1.1, referred by RFC
2131). */
if(IPH_PROTO(iphdr) == IP_PROTO_UDP &&
((struct udp_hdr *)((u8_t *)iphdr + IPH_HL(iphdr) * 4/sizeof(u8_t)))
->src =
=
DHCP_SERVER_PORT) {
netif = inp;
}
1) accessing the pbuf improperly (is there a requirement that
ip_input is called with a pbuf with only 1 buffer on it?
It looks like all of ip_input access p->payload directly
without checking if there are other buffers in the chain)
2) no length check. If there's a short udp header, this
will access undefined parts of memory
3) no fragment check. If this is not the first fragment,
its meaningless to look past the IP header w/o reassembly.
seems like a bad way to hack in support for dhcp.
Tim N.
[This message was sent through the lwip discussion list.]
[This message was sent through the lwip discussion list.]