lwip-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-users] netconn_aborted pointer in api_msg.c

From: Gregory . W . Smith
Subject: [lwip-users] netconn_aborted pointer in api_msg.c
Date: Tue, 27 Sep 2016 15:29:56 -0600
I have found a situation in lwIP STABLE-2_0_0 that can result in dereferencing a bad pointer.

In api_msg.c, the function accept_function() posts dummy u8_t pointer &netconn_aborted after an error:

 if (newpcb == NULL) {
    /* out-of-pcbs during connect: pass on this error to the application */
    if (sys_mbox_trypost(&conn->acceptmbox, (void*)&netconn_aborted) == ERR_OK) {
      /* Register event with callback */
      API_EVENT(conn, NETCONN_EVT_RCVPLUS, 0);
    }
    return ERR_VAL;
  }

  /* We have to set the callback here even though
   * the new socket is unknown. newconn->socket is marked as -1. */
  newconn = netconn_alloc(conn->type, conn->callback);
  if (newconn == NULL) {
    /* outof netconns: pass on this error to the application */
    if (sys_mbox_trypost(&conn->acceptmbox, (void*)&netconn_aborted) == ERR_OK) {
      /* Register event with callback */
      API_EVENT(conn, NETCONN_EVT_RCVPLUS, 0);
    }
    return ERR_MEM;
  }

Later other functions (for example netconn_drain() and netconn_free()) can receive &netconn_aborted from the mailbox and wrongly deference it as a (struct netconn *).  
Some elements of (struct netconn) are also pointers, so hard faults can quickly result.

My embedded application runs FreeRTOS on a lpc1768 (Cortex-M3) and supports Modbus.
To reproduce the problem, rapidly open and close sockets at a speed that can cause NETCONN memp errors.
  A) On an computer, Install modbus command line program "modpoll"
  B) In a script, loop modpoll reading a single register.  For example:

    #!/bin/bash
    c=1
    while [ $c -le 10000000 ]
    do
            modpoll -1 -r 86 192.168.1.88
            echo "Loops: $c"
            (( c++ ))
    done

    C) Startup multiple copies of the script.  For my setup, seven simultaneous scripts cause a hardfault within about a minute.


You might have another solution, but I was able to eliminate the hard faults by:
1) changing the declaration of netconn_aborted to
const struct netconn netconn_aborted;
2) adding the follow sanity check to the top of netconn_free() and netconn_drain():
  if (conn == &netconn_aborted)
      return;

However, I still cannot re-establish communication after NETCONN MEMP errors. The NETCONN memory is never released.  Any advice is appreciated.

Thank you to all contributors of lwIP.

Greg
reply via email to
[Prev in Thread] Current Thread [Next in Thread]