From 4192df97ec0f6a062d7fb361366dee0a20dd6157 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon>
Date: Fri, 18 May 2007 11:13:34 +0000
Subject: [PATCH] Corrected check of PBUF_POOL overflow

---
 src/core/pbuf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/core/pbuf.c b/src/core/pbuf.c
index 5225593a..f704c47e 100644
--- a/src/core/pbuf.c
+++ b/src/core/pbuf.c
@@ -166,7 +166,7 @@ pbuf_alloc(pbuf_layer l, u16_t length, pbuf_flag flag)
     /* set the length of the first pbuf in the chain */
     p->len = length > PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset)? PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset): length;
     LWIP_ASSERT("check p->payload + p->len does not overflow pbuf",
-                ((u8_t*)p->payload + p->len <
+                ((u8_t*)p->payload + p->len <=
                  (u8_t*)p + SIZEOF_STRUCT_PBUF + PBUF_POOL_BUFSIZE));
     /* set reference count (needed here in case we fail) */
     p->ref = 1;
@@ -199,7 +199,7 @@ pbuf_alloc(pbuf_layer l, u16_t length, pbuf_flag flag)
       LWIP_ASSERT("pbuf_alloc: pbuf q->payload properly aligned",
               ((mem_ptr_t)q->payload % MEM_ALIGNMENT) == 0);
       LWIP_ASSERT("check p->payload + p->len does not overflow pbuf",
-                  ((u8_t*)p->payload + p->len <
+                  ((u8_t*)p->payload + p->len <=
                    (u8_t*)p + SIZEOF_STRUCT_PBUF + PBUF_POOL_BUFSIZE));
       q->ref = 1;
       /* calculate remaining length to be allocated */