[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes
From: |
chrysn |
Subject: |
[lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes |
Date: |
Thu, 12 Jan 2017 17:56:21 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (X11; Linux) AppleWebKit/537.32 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.32 Midori/0.5 |
URL:
<http://savannah.nongnu.org/bugs/?50040>
Summary: pbuf_alloc(..., 65534, PBUF_RAM) succedes
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: chrysn
Submitted on: Thu 12 Jan 2017 05:56:20 PM GMT
Category: None
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
When very large memory allocations are requested from pbuf_alloc in the RAM
area, the allocations succede; this usually runs like this:
* Application has an integer underflow in size calculation, resulting in a
length request of 65534 (= -2 mod 16)
* The application requests a RAM pbuf.
* pbuf_alloc adds (aligned) `SIZEOF_STRUCT_PBUF + offset` to the length
without checking for overflows
* pbuf_alloc requests a few bytes of memory from mem_malloc, which succedes
* The buffer is constructed with the originally requested length as .len
* The application happily populates the buffer, overwriting memory that is not
even owned by mem_malloc
This typical situation described above could be argued to be the application's
fault, but applications should be allowed to rely on pbuf_alloc to request any
16bit size; if lwIP's required pbuf and offset sizes would make this overflow,
lwIP should return NULL and not a wrongly allocated buffer.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?50040>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes,
chrysn <=
- [lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes, David van Moolenbroek, 2017/01/12
- [lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes, David van Moolenbroek, 2017/01/12
- [lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes, Simon Goldschmidt, 2017/01/12
- [lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes, David van Moolenbroek, 2017/01/12
- [lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes, Dirk Ziegelmeier, 2017/01/15
- Re: [lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes, address@hidden, 2017/01/12
- Re: [lwip-devel] [bug #50040] pbuf_alloc(..., 65534, PBUF_RAM) succedes, D.C. van Moolenbroek, 2017/01/12