|
From: | Ambroz Bizjak |
Subject: | [lwip-devel] [bug #48539] Possible crash when packet received in SYN_SENT state |
Date: | Sun, 17 Jul 2016 09:44:57 +0000 (UTC) |
User-agent: | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
URL: <http://savannah.nongnu.org/bugs/?48539> Summary: Possible crash when packet received in SYN_SENT state Project: lwIP - A Lightweight TCP/IP stack Submitted by: abizjak Submitted on: Sun 17 Jul 2016 09:44:55 AM GMT Category: TCP Severity: 3 - Normal Item Group: Crash Error Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any Planned Release: None lwIP version: git head _______________________________________________________ Details: While looking at the code I see a hazard in the tcp_process() SYN_SENT case when accessing pcb->unacked->tcphdr->seqno. The pcb->unacked could be NULL, I think in the following cases: (1) tcp_output() in tcp_connect() failed to output the segment; the segment has never been put into unacked. (2) tcp_output() in tcp_rexmit_rto() failed to output the segment; the segment has been moved back to unsent and stayed there. _______________________________________________________ Reply to this item at: <http://savannah.nongnu.org/bugs/?48539> _______________________________________________ Message sent via/by Savannah http://savannah.nongnu.org/
[Prev in Thread] | Current Thread | [Next in Thread] |