[lwip-devel] [bug #36369] pbuf_copy() with zero length pbuf

[Woody Wu]

URL:
  <http://savannah.nongnu.org/bugs/?36369>

                 Summary: pbuf_copy() with zero length pbuf
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: narke
            Submitted on: Wed 02 May 2012 05:52:13 AM GMT
                Category: pbufs
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.4.0

    _______________________________________________________

Details:

When ppp receive data (in pppInProc function), it allocate pbuf chains
to hold received bytes including the last two bytes checksum. It's
possible that a particular size of incoming ppp frame makes the
pppInProc to allocate a kind of pbuf chains where the last pbuf just
hold the two bytes checksum and with lenght 2.  Before ppp forward the
pbuf chains to upper layer, it will remove the ppp checksum by
reducing the length field of the last pbuf by 2.  So, in this case, it
will forward a pbuf chains with n + 1 pbuf's and the last pbuf is zero
length.

If the incoming ppp frame actually hold a ping packet, such kind of
pbuf chain will eventually be forwarded to icmp_input() function,
where it call the pbuf_copy function and pass the pbuf chain as the
'p_from' argument of this function.   The problem is, pbuf_copy has a
bug in handling such kind of source pbuf chain and the LWIP_ASSERT
statement (line 843 of pbuf.c in version 1.4.0) will evaluate false.

I think this is a pbuf_copy() bug.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?36369>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/