[lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment

From:	Joel Cunningham
Subject:	[lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption
Date:	Fri, 15 Dec 2017 13:32:30 -0500 (EST)
User-agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

URL:
  <http://savannah.nongnu.org/bugs/?52676>

                 Summary: tcp: pcb->unsent_oversize not cleared segment split
leading to memory corruption
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: jcunningham
            Submitted on: Fri 15 Dec 2017 06:32:28 PM UTC
                Category: TCP
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: In Progress
                 Privacy: Public
             Assigned to: jcunningham
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

I found a bug in tcp_split_unsent_seg() where if there is a single oversized
segment being split, pcb->unsent_oversize is not cleared, leading to memory
corruption if tcp_write is called before the remainder of the split is sent
via tcp_output().

Just as a refresher, the split is accomplished by calling pbuf_realloc() on
the head to shrink it to the split size, then a new pbuf (of exact size) is
allocated for the remainder and added after the head.

I updated the test_tcp_persist_split unit test to explicitly check for this
case.

Just wanted a RFC on this fix before pushing it.  I haven't worked as much
with the oversize feature, so I wanted to make sure I have a correct
understanding



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Fri 15 Dec 2017 06:32:28 PM UTC  Name:
0001-tcp-clear-unsent_oversize-during-segment-split.patch  Size: 6KiB   By:
jcunningham

<http://savannah.nongnu.org/bugs/download.php?file_id=42658>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?52676>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption, Joel Cunningham <=
- [lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption, Simon Goldschmidt, 2017/12/16
  - [lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption, Joel Cunningham, 2017/12/18
    - [lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption, Joel Cunningham, 2017/12/18

Prev by Date: [lwip-devel] [bug #52671] Pointer 'to' checked for NULL in lwip_sendto() may be dereferenced
Next by Date: [lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption
Previous by thread: [lwip-devel] [bug #52671] Pointer 'to' checked for NULL in lwip_sendto() may be dereferenced
Next by thread: [lwip-devel] [bug #52676] tcp: pcb->unsent_oversize not cleared segment split leading to memory corruption
Index(es):
- Date
- Thread