|
From: | Michael Zimmermann |
Subject: | Re: [lwip-devel] use-after-free caused by tcp_input_delayed_close |
Date: | Fri, 25 Jan 2019 09:34:10 +0100 |
Am 24.01.2019 um 10:01 schrieb Michael Zimmermann:
> Hi,
>
> I'm running a tcp server using LWIP and upon termination of the
> connection, both sides do a "shutdown(sock, SHUT_WR)", wait for recv to
> return 0, call "shutdown(sock, SHUT_RDWR)", call "close(sock)".
Which version of lwIP are you using? If this problem persists with
current git master (maybe it's enough to compare the code?), could you
please file a bug report to ensure this doesn't get lost?
Thanks,
Simon
> The bug occurs in form of a race condition:
> - the lwip server calls SHUT_WR
> - the client calls SHUT_WR, once lwip saw this, it sets TF_RXCLOSED in
> "pcb->flags"
> - the client closes the connection, lwip sees this, adds TF_CLOSED to
> recv_flags, and then deletes the pcb within "tcp_input_delayed_close".
>
> The problem here is that "tcp_input_delayed_close" only calls the
> "pcb->errf" callback on this condition:
> "if (!(pcb->flags & TF_RXCLOSED))"
>
> I don't really know why that was done in first place, but because of
> this, the pcb gets freed without notifying the user(which would set
> conn->pcb.tcp to NULL) in case the RX side was closed already.
>
> On the next call to shutdown or close, this results in use-after-free.
>
> I'm posting this to the mailing list first instead of the bug tracker to
> discuss the intention behind the condition and to come up with a proper
> solution.
>
> Thanks
> Michael Zimmermann
>
> IOTΛ Data Marketplace Member· MS Azure IoT Gold Partner · Apple MFi
> Developer · Bluetooth SIG · zigbee Alliance · LoRa Alliance · Thread Group
>
> grandcentrix GmbH · Holzmarkt 1 · 50676 Köln · Deutschland
> | t <https://twitter.com/grandcentrix> | f
> <https://www.facebook.com/GrandCentrix/> | in
> <https://www.linkedin.com/company/grandcentrix> | phone:
> +49-221-677-860-0 | email: address@hidden
> <mailto:address@hidden>
>
> Amtsgericht Köln | HRB 70119 | Geschäftsführer: R. Rottmann, M. Willnow
> | USt.-IdNr.: DE266333969
>
> _______________________________________________
> lwip-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/lwip-devel
>
_______________________________________________
lwip-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/lwip-devel
[Prev in Thread] | Current Thread | [Next in Thread] |