[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-users] Bug in snd_buf calculation

From: Curt McDowell
Subject: [lwip-users] Bug in snd_buf calculation
Date: Fri, 3 Feb 2006 17:00:42 -0800


A code change was made in two files almost exactly 1 year ago:

        tcp_out.c revision 1.43
        tcp_in.c revision 1.54
        Applied fix patch for bug #2679.

I think the idea was to fix a checksum alignment problem.  However, the fix is 
not correct and should be removed (now that the
checksum alignment problem has been addressed in the checksum routine).  In 
tcp_out.c, the change was:

          pcb->snd_buf -= len;
          /* FIX: Data split over odd boundaries */
          pcb->snd_buf -= ((len+1) & ~0x1); /* Even the send buffer */

If snd_buf becomes an odd number (which is possible elsewhere in lwip), and the 
application uses tcp_write() on that entire odd
amount, pcb->snd_buf underflows to 65535, crashing the application.

Curt McDowell
Broadcom Corp.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]