lwip-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-users] [LwIP 1.4.1] Ping length of 92 bytes via PPP crashes Lw


From: Marco Jakobs
Subject: Re: [lwip-users] [LwIP 1.4.1] Ping length of 92 bytes via PPP crashes LwIP core/pbuf.c
Date: Mon, 15 May 2017 14:51:42 +0200

Hi Simon,

I think I have found the issue but I don't deeply understand why this does not 
crash the Ethernet version as this seems to be a bug in pbuf_copy ... but as 
this is in a common used routine I want have your opinion on my fix.

I saw that the issue only happens when a pbuf is filled right up to its end. 
Let's have a look on pbuf.c, line 879-883:

    if (offset_from >= p_from->len) {
      /* on to next p_from (if any) */
      offset_from = 0;
      p_from = p_from->next;
    }

So if the number of bytes copied is >= the pbuf length of the "from" chain, it 
resets the offset to 0 and references to the next pbuf in the chain. Looks good 
for me.

But now the same for the target pbuf chain:

    if (offset_to == p_to->len) {
      /* on to next p_to (if any) */
      offset_to = 0;
      p_to = p_to->next;
      LWIP_ERROR("p_to != NULL", (p_to != NULL) || (p_from == NULL) , return 
ERR_ARG;);
    }

First, it only references to offset *equals* the pbuf len (I'd change that to 
>= also), but the bug is in the LWIP_ERROR line:

The error kicks in when there is no next p_from pbuf (which is fine) or when 
there *is* a next p_to pbuf. In my opinion the error should kick in if there is 
either no active "p_from" or no active "p_to" at this place.

I've fix it to this and it's working:

    if (offset_to >= p_to->len) {
      /* on to next p_to (if any) */
      offset_to = 0;
      p_to = p_to->next;
      LWIP_ERROR("p_to == NULL", (p_to == NULL) || (p_from == NULL) , return 
ERR_ARG;);
    }

Any comments? Otherwise I'd recommend to push that into 1.4.1 and check if 
2.0.x still has this issue also.

Marco






reply via email to

[Prev in Thread] Current Thread [Next in Thread]