lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #57790] Fragmented UDP packets leads to crash on reass

From: Jarno Malmari
Subject: [lwip-devel] [bug #57790] Fragmented UDP packets leads to crash on reassembly
Date: Tue, 11 Feb 2020 11:05:25 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.131 Safari/537.36 
URL:
  <https://savannah.nongnu.org/bugs/?57790>

                 Summary: Fragmented UDP packets leads to crash on reassembly
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: jmalmari
            Submitted on: Tue 11 Feb 2020 04:05:23 PM UTC
                Category: IPv4
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

= Test setup =

== Device under test ==
Ran into crash with custom ST H7 board. Reproducible with NUCLEO-H743ZI2.

== Software ==

Reproducable with ST's project example:
STM32Cube_FW_H7_V1.6.0/Projects/NUCLEO-H743ZI/Applications/LwIP/LwIP_HTTP_Server_Netconn_RTOS

(only changed IP and disabled dhcp)

Available at
https://www.st.com/en/embedded-software/stm32cubeh7.html

== LwIP ==

lwipopts.h attached

Versions tested: 2.0.3, 2.2.0

Not sure if relevant, but peculiarities of H7 include its multiple SRAMs. In
the example, program data is in AXI SRAM to which ethernet DMA has no access.
Therefore, the _LWIP_RAM_HEAP_POINTER_ is relocated to SRAM3. Ethernet RX
buffers are also in SRAM3. CPU cache for these memory regions is configured
(disabled) by Memory Protection Unit (MPU_Config()).



= Test run =

>From Linux shell:

bs=6000
ip=<device ip>
dd if=/dev/urandom bs=$bs count=5 |socat -b $bs -u stdin
UDP4-DATAGRAM:$ip:12345


Expect hardfault after a few seconds.

= Debug = 
Source of hardfault is function _ip_reass_free_complete_datagram_,
dereferencing invalid pointer p (p->payload).

Issue seems to be combination of fragmented packets and receive buffer filling
up. Therefore, depending on memory settings the amount of UDP bombardment may
need adjusting.

Typical output with IP_REASS_DEBUG=LWIP_DBG_ON:

ip_reass_pbufcount: 1 out                                       
ip4_reass: matching previous fragment ID=8778                   
ip4_reass: last fragment seen, total len 1508                   
ip_reass_pbufcount: 2 out                                       
ip_reass_tmr: timer dec 14                                      
ip_reass_pbufcount: 3 out                                       
ip4_reass: matching previous fragment ID=8779                   
ip4_reass: last fragment seen, total len 1508                   
ip_reass_pbufcount: 4 out                                       
ip_reass_pbufcount: 5 out                                       
ip4_reass: matching previous fragment ID=877a                   
ip4_reass: last fragment seen, total len 1508                   
ip_reass_pbufcount: 6 out                                       
ip4_reass: last fragment seen, total len 1508                   
ip_reass_pbufcount: 7 out                                       
ip4_reass: last fragment seen, total len 1508                   
ip_reass_pbufcount: 8 out                                       
ip_reass_tmr: timer dec 14                                      
ip_reass_tmr: timer dec 14                                      
ip_reass_tmr: timer dec 14                                      
ip_reass_tmr: timer dec 14                                      
ip_reass_tmr: timer dec 13                                      
ip_reass_tmr: timer dec 13                                      
ip_reass_tmr: timer dec 13                                      
ip_reass_tmr: timer dec 13                                      
<...counting down from 13 to 1...>
ip_reass_tmr: timer dec 1                                       
ip_reass_tmr: timer dec 1                                       
ip_reass_tmr: timer dec 0                                       
ip_reass_tmr: timer dec 0                                       
ip_reass_tmr: timer dec 0                                       
ip_reass_tmr: timer dec 0                                       
ip_reass_tmr: timer dec 0                                       
ip_reass_tmr: timer timed out                               
<hardfault>    


= Workaround =

#define IP_REASSEMBLY 0




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 11 Feb 2020 04:05:23 PM UTC  Name: lwipopts.h  Size: 9KiB   By:
jmalmari

<http://savannah.nongnu.org/bugs/download.php?file_id=48393>

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57790>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]