|
| From: | Alex Fishman |
| Subject: | [lwip-devel] Probems in lwip stack |
| Date: | Thu, 1 Sep 2005 18:05:32 +0300 |
|
Hello, It seems that I’ve found a couple of bugs in lwip code The first one is related to an assertion in tcp_out.c which fails
occasionally in my configuration (code snippet below) /* If total
number of pbufs on the unsent/unacked queues exceeds the *
configured maximum, return an error */ queuelen
= pcb->snd_queuelen; if
(queuelen >= TCP_SND_QUEUELEN) { LWIP_DEBUGF(TCP_OUTPUT_DEBUG
| 3, ("tcp_enqueue: too long queue %u (max %u)", queuelen, TCP_SND_QUEUELEN)); goto
memerr; } if
(queuelen != 0) { LWIP_ASSERT("tcp_enqueue: pbufs on queue => at
least one queue non-empty", pcb->unacked
!= NULL || pcb->unsent != NULL); } I think I might have traced the problem to these lines in tcp_in.c /* Do different things depending on
the TCP state. */ switch
(pcb->state) { case
SYN_SENT: LWIP_DEBUGF(TCP_INPUT_DEBUG,
("SYN-SENT: ackno %lu pcb->snd_nxt %lu unacked %lu", ackno,
pcb->snd_nxt, ntohl(pcb->unacked->tcphdr->seqno))); if
((flags & TCP_ACK) && (flags & TCP_SYN) &&
ackno == ntohl(pcb->unacked->tcphdr->seqno) + 1) { ….. --pcb->snd_queuelen; …. I think that the last line should be replaced to pcb->snd_queuelen -= pbuf_clen(pcb->unacked->p); The second problem is related to tcp_rexmit_rto() function
which increments pcb->nrtx variable, This variable is used as an index for tcp_backoff[pcb->nrtx]
array which is declared as u8_t tcp_backoff[13]. In some cases pcb->nrtx
increments beyond 13 and it might cause out of bounds memory access. Alex |
| [Prev in Thread] | Current Thread | [Next in Thread] |