[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] Particular size of ping can halt lwIP -- a pbuf_copy bug?
From: |
narke |
Subject: |
[lwip-devel] Particular size of ping can halt lwIP -- a pbuf_copy bug? |
Date: |
Fri, 27 Apr 2012 14:47:51 +0800 |
Hi,
When ppp receive data (in pppInProc function), it allocate pbuf chains
to hold received bytes including the last two bytes checksum. It's
possible that a particular size of incoming ppp frame makes the
pppInProc to allocate a kind of pbuf chains where the last pbuf just
hold the two bytes checksum and with lenght 2. Before ppp forward the
pbuf chains to upper layer, it will remove the ppp checksum by
reducing the length field of the last pbuf by 2. So, in this case, it
will forward a pbuf chains with n + 1 pbuf's and the last pbuf is zero
length.
If the incoming ppp frame actually hold a ping packet, such kind of
pbuf chain will eventually be forwarded to icmp_input() function,
where it call the pbuf_copy function and pass the pbuf chain as the
'p_from' argument of this function. The problem is, pbuf_copy has a
bug in handling such kind of source pbuf chain and the LWIP_ASSERT
statement (line 843 of pbuf.c in version 1.4.0) will evaluate false.
I think this is a pbuf_copy() bug and want your confirmation.
Best Regards,
--
Life is the only flaw in an otherwise perfect nonexistence
-- Schopenhauer
narke
public key at http://subkeys.pgp.net:11371 (address@hidden)
- [lwip-devel] Particular size of ping can halt lwIP -- a pbuf_copy bug?,
narke <=