mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-10-04 05:39:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #49218: pbuf_clen() overflow as a result of tcp_write concatenation

Browse Source 
Let pbuf_clen() return u16_t
This commit is contained in:
Dirk Ziegelmeier 2016-09-30 09:04:36 +02:00
parent 682b82aad8
commit 149701b347
5 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/core/ipv4/ip4_frag.c
View File

@ -160,7 +160,7 @@ static int
ip_reass_free_complete_datagram(struct ip_reassdata *ipr, struct ip_reassdata *prev) ip_reass_free_complete_datagram(struct ip_reassdata *ipr, struct ip_reassdata *prev)
{ {
u16_t pbufs_freed = 0; u16_t pbufs_freed = 0;
u8_t clen; u16_t clen;
struct pbuf *p; struct pbuf *p;
struct ip_reass_helper *iprh; struct ip_reass_helper *iprh;
@ -487,8 +487,7 @@ ip4_reass(struct pbuf *p)
struct ip_hdr *fraghdr; struct ip_hdr *fraghdr;
struct ip_reassdata *ipr; struct ip_reassdata *ipr;
struct ip_reass_helper *iprh; struct ip_reass_helper *iprh;
u16_t offset, len; u16_t offset, len, clen;
u8_t clen;
IPFRAG_STATS_INC(ip_frag.recv); IPFRAG_STATS_INC(ip_frag.recv);
MIB2_STATS_INC(mib2.ipreasmreqds); MIB2_STATS_INC(mib2.ipreasmreqds);

5
src/core/ipv6/ip6_frag.c
View File

@ -147,7 +147,7 @@ ip6_reass_free_complete_datagram(struct ip6_reassdata *ipr)
{ {
struct ip6_reassdata *prev; struct ip6_reassdata *prev;
u16_t pbufs_freed = 0; u16_t pbufs_freed = 0;
u8_t clen; u16_t clen;
struct pbuf *p; struct pbuf *p;
struct ip6_reass_helper *iprh; struct ip6_reass_helper *iprh;
@ -262,7 +262,8 @@ ip6_reass(struct pbuf *p)
struct ip6_reass_helper *iprh, *iprh_tmp, *iprh_prev=NULL; struct ip6_reass_helper *iprh, *iprh_tmp, *iprh_prev=NULL;
struct ip6_frag_hdr *frag_hdr; struct ip6_frag_hdr *frag_hdr;
u16_t offset, len; u16_t offset, len;
u8_t clen, valid = 1; u16_t clen;
u8_t valid = 1;
struct pbuf *q; struct pbuf *q;
IP6_FRAG_STATS_INC(ip6_frag.recv); IP6_FRAG_STATS_INC(ip6_frag.recv);

2
src/core/netif.c
View File

@ -791,7 +791,7 @@ netif_loop_output(struct netif *netif, struct pbuf *p)
err_t err; err_t err;
struct pbuf *last; struct pbuf *last;
#if LWIP_LOOPBACK_MAX_PBUFS #if LWIP_LOOPBACK_MAX_PBUFS
u8_t clen = 0; u16_t clen = 0;
#endif /* LWIP_LOOPBACK_MAX_PBUFS */ #endif /* LWIP_LOOPBACK_MAX_PBUFS */
/* If we have a loopif, SNMP counters are adjusted for it, /* If we have a loopif, SNMP counters are adjusted for it,
* if not they are adjusted for 'netif'. */ * if not they are adjusted for 'netif'. */

4
src/core/pbuf.c
View File

@ -779,10 +779,10 @@ pbuf_free(struct pbuf *p)
* @param p first pbuf of chain * @param p first pbuf of chain
* @return the number of pbufs in a chain * @return the number of pbufs in a chain
*/ */
u8_t u16_t
pbuf_clen(struct pbuf *p) pbuf_clen(struct pbuf *p)
{ {
u8_t len; u16_t len;
len = 0; len = 0;
while (p != NULL) { while (p != NULL) {

2
src/include/lwip/pbuf.h
View File

@ -231,7 +231,7 @@ u8_t pbuf_header(struct pbuf *p, s16_t header_size);
u8_t pbuf_header_force(struct pbuf *p, s16_t header_size); u8_t pbuf_header_force(struct pbuf *p, s16_t header_size);
void pbuf_ref(struct pbuf *p); void pbuf_ref(struct pbuf *p);
u8_t pbuf_free(struct pbuf *p); u8_t pbuf_free(struct pbuf *p);
u8_t pbuf_clen(struct pbuf *p); u16_t pbuf_clen(struct pbuf *p);
void pbuf_cat(struct pbuf *head, struct pbuf *tail); void pbuf_cat(struct pbuf *head, struct pbuf *tail);
void pbuf_chain(struct pbuf *head, struct pbuf *tail); void pbuf_chain(struct pbuf *head, struct pbuf *tail);
struct pbuf *pbuf_dechain(struct pbuf *p); struct pbuf *pbuf_dechain(struct pbuf *p);