[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #48476] TCP sent callback called wrongly due to pickin
From: |
Ambroz Bizjak |
Subject: |
[lwip-devel] [bug #48476] TCP sent callback called wrongly due to picking up old pcb->acked |
Date: |
Mon, 11 Jul 2016 19:29:08 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
URL:
<http://savannah.nongnu.org/bugs/?48476>
Summary: TCP sent callback called wrongly due to picking up
old pcb->acked
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: abizjak
Submitted on: Mon 11 Jul 2016 07:29:06 PM GMT
Category: TCP
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
In tcp_in.c, tcp_input(), shortly after calling tcp_process(), pcb->acked is
checked, and if it's nonzero, the application's sent callback is invoked with
the amount of acked data.
The fatal issue is that if tcp_process() does not set tcp->acked (usually when
the packet does not have the ACK flag), so it can happen that the sent
callback is called again for the amount of acked data which has in fact been
acked with a previously received packet.
This generally causes an inconsistency in the application code and results in
something bad.
Reproducing is almost trivial:
- Make an application continuously send data to the client.
- Keep track of the amount of outstanding data, with an integer that you
increase after tcp_write and decrease in the sent callback.
- Add an assert in your sent-callback for the acked-bytes to be no more than
the amount of outstanding data.
- Send some crafted RST to the device with the right IPs/ports and with random
sequence numbers (so lwip will probably classify as not-acceptable, resulting
in tcp_process returnign very soon without setting pcb->acked).
- Observe your assert being hit.
I reproduces this with my forked lwIP but as far as I can see the issue exists
in current lwIP. I used the following to send some ACKs:
hping --rst --baseport <client port> --destport <device port> --keep <device
IP>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?48476>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #48476] TCP sent callback called wrongly due to picking up old pcb->acked,
Ambroz Bizjak <=