[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-users] Bug in snd_buf calculation
From: |
Curt McDowell |
Subject: |
[lwip-users] Bug in snd_buf calculation |
Date: |
Fri, 3 Feb 2006 17:00:42 -0800 |
Hi,
A code change was made in two files almost exactly 1 year ago:
tcp_out.c revision 1.43
tcp_in.c revision 1.54
Applied fix patch for bug #2679.
http://savannah.nongnu.org/bugs/?func=detailitem&item_id=2679
I think the idea was to fix a checksum alignment problem. However, the fix is
not correct and should be removed (now that the
checksum alignment problem has been addressed in the checksum routine). In
tcp_out.c, the change was:
<<<<<
pcb->snd_buf -= len;
=====
/* FIX: Data split over odd boundaries */
pcb->snd_buf -= ((len+1) & ~0x1); /* Even the send buffer */
>>>>>
If snd_buf becomes an odd number (which is possible elsewhere in lwip), and the
application uses tcp_write() on that entire odd
amount, pcb->snd_buf underflows to 65535, crashing the application.
Regards,
Curt McDowell
Broadcom Corp.
- [lwip-users] Bug in snd_buf calculation,
Curt McDowell <=