[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-users] Infinite hang in tcp_slowtmr()

From: Sylvain Rochet
Subject: Re: [lwip-users] Infinite hang in tcp_slowtmr()
Date: Thu, 29 Oct 2015 20:38:05 +0100
User-agent: Mutt/1.5.21 (2010-09-15)


On Thu, Oct 29, 2015 at 08:06:30PM +0530, Dinesh Pandey wrote:
> Looks like I found the cause of 'my' loop.
> I was calling tcp_close twice on a TCP PCB.
> The memp_free routine simply puts the TCP PCB at the head of the linked
> list. If memp_free is called twice with the same TCP PCB, the first element
> starts to points back to itself.
> When a new TCP connection is created, the memp_alloc will returns this
> looped member and you will end up with looped PCB linked list.

Indeed, this is actually a use after free security hole.


Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]