lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #51789] TCP_EVENT_CLOSE, tcp_close() and possible use


From: Art Heers
Subject: [lwip-devel] [bug #51789] TCP_EVENT_CLOSE, tcp_close() and possible use of pcb with tcp_output()
Date: Fri, 18 Aug 2017 17:28:36 -0400 (EDT)
User-agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

URL:
  <http://savannah.nongnu.org/bugs/?51789>

                 Summary: TCP_EVENT_CLOSE, tcp_close() and possible use of pcb
with tcp_output()
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: artheers
            Submitted on: Fri 18 Aug 2017 09:28:34 PM UTC
                Category: TCP
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: 2.0.0

    _______________________________________________________

Details:

I am not sure, but if the call back function pcb->recv does tcp_close(pcb)
when TCP_EVENT_CLOSE is the call back, which it does if pcb->recv is NULL, it
is possible the tcp_close(pcb) will deallocate pcb if the pcb is in certain
states, like CLOSED.  Yet subsequent to the call back the pcb is used by
calling tcp_output(pcb).  This obviously can cause a memory corruption.

To avoid this, I have generally called tcp_abort() or tcp_abandon() with the
TCP_EVENT_CLOSE callback and returned ERR_ABRT.  But again, if pcb->recv is
left NULL then the call back will return tcp_close().

Am I missing something?




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?51789>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]