[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer
|
From: |
Sebastian Unger |
|
Subject: |
[lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer |
|
Date: |
Thu, 17 Nov 2011 00:40:58 +0000 |
|
User-agent: |
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0 |
URL:
<http://savannah.nongnu.org/bugs/?34846>
Summary: LWIP segfaults from IPv6 reassembly timer
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: sebunger
Submitted on: Thu 17 Nov 2011 12:40:51 AM GMT
Category: IPv6
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: CVS Head
_______________________________________________________
Details:
Hi there,
When I run the IPv6Ready logo test suite phase 2 against LWIP, it segfaults in
one of the tests. The following is a backtrace from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x080b6fde in ip6_select_source_address (netif=0x0, dest=0x8523650) at
lwip/core/ipv6/ip6.c:221
221 if (ip6_addr_isvalid(netif_ip6_addr_state(netif, i)) &&
(gdb) bt
#0 0x080b6fde in ip6_select_source_address (netif=0x0, dest=0x8523650) at
lwip/core/ipv6/ip6.c:221
#1 0x080b8111 in icmp6_send_response (p=0x8513728, code=1 '�01', data=0,
type=3 '�03') at lwip/core/ipv6/icmp6.c:281
#2 0x080b8008 in icmp6_time_exceeded (p=0x8513728, c=ICMP6_TE_FRAG) at
lwip/core/ipv6/icmp6.c:227
#3 0x080b8296 in ip6_reass_free_complete_datagram (ipr=0x850796c) at
lwip/core/ipv6/ip6_frag.c:153
#4 0x080b821a in ip6_reass_tmr () at lwip/core/ipv6/ip6_frag.c:123
#5 0x080b38d5 in ip6_reass_timer (arg=0x0) at lwip/core/timers.c:249
#6 0x080b3b89 in sys_check_timeouts () at lwip/core/timers.c:404
(gdb) up
#1 0x080b8111 in icmp6_send_response (p=0x8513728, code=1 '�01', data=0,
type=3 '�03') at lwip/core/ipv6/icmp6.c:281
281 reply_src = ip6_select_source_address(ip_current_netif(),
ip6_current_src_addr());
As far as I can see, the problem is the use of ip_current_netif() in
icmp6_send_response. It's documentation clearly states that it may only be
called from a receive callback, but we are not in a receive callback.
The question is, how best to fix it. I can conceive of two basic solutions:
1. In icmp6_send_response, if ip_current_netif() returns 0, use the normal
logic for finding the outgoing interface based on the destination address.
2. When we queue up a fragment for reassembly, we remember the interface it
came in on and use that when sending the response.
However, I can think of a host of problems with 2, such as interfaces
disappearing in the meantime etc. So I would lean towards solution 1.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?34846>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer,
Sebastian Unger <=
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Sebastian Unger, 2011/11/16
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Sebastian Unger, 2011/11/16
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Simon Goldschmidt, 2011/11/17
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Sebastian Unger, 2011/11/17
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Simon Goldschmidt, 2011/11/17
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Ivan Delamer, 2011/11/17
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Ivan Delamer, 2011/11/17
- Message not available
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Ivan Delamer, 2011/11/22
- [lwip-devel] [bug #34846] LWIP segfaults from IPv6 reassembly timer, Ivan Delamer, 2011/11/29