From c69914367da0c3859e01017516c3b197b11da3a7 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Mon, 13 Aug 2012 20:57:19 +0200
Subject: [PATCH 1/7] Sanity-check the size of netif->hwaddr

---
 src/core/dhcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/dhcp.c b/src/core/dhcp.c
index 614fa324..2851d712 100644
--- a/src/core/dhcp.c
+++ b/src/core/dhcp.c
@@ -1693,7 +1693,7 @@ dhcp_create_msg(struct netif *netif, struct dhcp *dhcp, u8_t message_type)
   ip_addr_set_zero(&dhcp->msg_out->giaddr);
   for (i = 0; i < DHCP_CHADDR_LEN; i++) {
     /* copy netif hardware address, pad with zeroes */
-    dhcp->msg_out->chaddr[i] = (i < netif->hwaddr_len) ? netif->hwaddr[i] : 0/* pad byte*/;
+    dhcp->msg_out->chaddr[i] = (i < netif->hwaddr_len && i < NETIF_MAX_HWADDR_LEN) ? netif->hwaddr[i] : 0/* pad byte*/;
   }
   for (i = 0; i < DHCP_SNAME_LEN; i++) {
     dhcp->msg_out->sname[i] = 0;

From a07075106165198496ec32fabcafdd4287649582 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Mon, 13 Aug 2012 21:17:17 +0200
Subject: [PATCH 2/7] fixed bug #37052: "netconn_alloc: undefined netconn_type"
 assertion skipped

---
 src/api/api_msg.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/api/api_msg.c b/src/api/api_msg.c
index 7ec9cfba..8b6286d9 100644
--- a/src/api/api_msg.c
+++ b/src/api/api_msg.c
@@ -579,10 +579,7 @@ netconn_alloc(enum netconn_type t, netconn_callback callback)
   conn->type = t;
   conn->pcb.tcp = NULL;
 
-#if (DEFAULT_RAW_RECVMBOX_SIZE == DEFAULT_UDP_RECVMBOX_SIZE) && \
-    (DEFAULT_RAW_RECVMBOX_SIZE == DEFAULT_TCP_RECVMBOX_SIZE)
-  size = DEFAULT_RAW_RECVMBOX_SIZE;
-#else
+  /* If all sizes are the same, every compiler should optimize this switch to nothing, */
   switch(NETCONNTYPE_GROUP(t)) {
 #if LWIP_RAW
   case NETCONN_RAW:
@@ -603,7 +600,6 @@ netconn_alloc(enum netconn_type t, netconn_callback callback)
     LWIP_ASSERT("netconn_alloc: undefined netconn_type", 0);
     goto free_and_return;
   }
-#endif
 
   if (sys_sem_new(&conn->op_completed, 0) != ERR_OK) {
     goto free_and_return;

From 556a2126b53f1a762f3001b2c89db8d73a796289 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Mon, 13 Aug 2012 21:32:44 +0200
Subject: [PATCH 3/7] Fixed bug #36899 DNS TTL 0 is cached for a long time

---
 CHANGELOG      |  3 +++
 src/core/dns.c | 10 +++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index dbed662e..197f1e04 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -80,6 +80,9 @@ HISTORY
 
  ++ Bugfixes:
 
+  2012-08-13: Simon Goldschmidt
+  * dns.c: fixed bug #36899 DNS TTL 0 is cached for a long time
+
   2012-05-11: Simon Goldschmidt (patch by Marty)
   * memp.c: fixed bug #36412: memp.c does not compile when
     MEMP_OVERFLOW_CHECK > zero and MEMP_SEPARATE_POOLS == 1
diff --git a/src/core/dns.c b/src/core/dns.c
index d6336122..788df715 100644
--- a/src/core/dns.c
+++ b/src/core/dns.c
@@ -694,7 +694,7 @@ dns_check_entry(u8_t i)
 
     case DNS_STATE_DONE: {
       /* if the time to live is nul */
-      if (--pEntry->ttl == 0) {
+      if ((pEntry->ttl == 0) || (--pEntry->ttl == 0)) {
         LWIP_DEBUGF(DNS_DEBUG, ("dns_check_entry: \"%s\": flush\n", pEntry->name));
         /* flush this entry */
         pEntry->state = DNS_STATE_UNUSED;
@@ -816,6 +816,13 @@ dns_recv(void *arg, struct udp_pcb *pcb, struct pbuf *p, ip_addr_t *addr, u16_t
             if (pEntry->found) {
               (*pEntry->found)(pEntry->name, &pEntry->ipaddr, pEntry->arg);
             }
+            if (pEntry->ttl == 0) {
+              /* RFC 883, page 29: "Zero values are
+                 interpreted to mean that the RR can only be used for the
+                 transaction in progress, and should not be cached."
+                 -> flush this entry now */
+              goto flushentry;
+            }
             /* deallocate memory and return */
             goto memerr;
           } else {
@@ -838,6 +845,7 @@ responseerr:
   if (pEntry->found) {
     (*pEntry->found)(pEntry->name, NULL, pEntry->arg);
   }
+flushentry:
   /* flush this entry */
   pEntry->state = DNS_STATE_UNUSED;
   pEntry->found = NULL;

From b82bca7c994875362dcca338be53e2ce059e2819 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Mon, 13 Aug 2012 21:38:30 +0200
Subject: [PATCH 4/7] fixed bug #36840 snmp_send_trap() NULL de-reference if
 traps configured but no interfaces available

---
 CHANGELOG               |  4 ++
 src/core/snmp/msg_out.c | 84 +++++++++++++++++++++--------------------
 2 files changed, 48 insertions(+), 40 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 197f1e04..ee04d033 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -80,6 +80,10 @@ HISTORY
 
  ++ Bugfixes:
 
+  2012-08-13: Simon Goldschmidt
+  * msg_out.c: fixed bug #36840 snmp_send_trap() NULL de-reference if traps
+    configured but no interfaces available
+
   2012-08-13: Simon Goldschmidt
   * dns.c: fixed bug #36899 DNS TTL 0 is cached for a long time
 
diff --git a/src/core/snmp/msg_out.c b/src/core/snmp/msg_out.c
index 485f076a..fc0807c5 100644
--- a/src/core/snmp/msg_out.c
+++ b/src/core/snmp/msg_out.c
@@ -217,6 +217,7 @@ snmp_send_trap(s8_t generic_trap, struct snmp_obj_id *eoid, s32_t specific_trap)
   ip_addr_t dst_ip;
   struct pbuf *p;
   u16_t i,tot_len;
+  err_t err = ERR_OK;
 
   for (i=0, td = &trap_dst[0]; i<SNMP_TRAP_DESTINATIONS; i++, td++)
   {
@@ -226,55 +227,58 @@ snmp_send_trap(s8_t generic_trap, struct snmp_obj_id *eoid, s32_t specific_trap)
       ip_addr_copy(trap_msg.dip, td->dip);
       /* lookup current source address for this dst */
       dst_if = ip_route(&td->dip);
-      ip_addr_copy(dst_ip, dst_if->ip_addr);
-      /* @todo: what about IPv6? */
-      trap_msg.sip_raw[0] = ip4_addr1(&dst_ip);
-      trap_msg.sip_raw[1] = ip4_addr2(&dst_ip);
-      trap_msg.sip_raw[2] = ip4_addr3(&dst_ip);
-      trap_msg.sip_raw[3] = ip4_addr4(&dst_ip);
-      trap_msg.gen_trap = generic_trap;
-      trap_msg.spc_trap = specific_trap;
-      if (generic_trap == SNMP_GENTRAP_ENTERPRISESPC)
-      {
-        /* enterprise-Specific trap */
-        trap_msg.enterprise = eoid;
-      }
-      else
-      {
-        /* generic (MIB-II) trap */
-        snmp_get_snmpgrpid_ptr(&trap_msg.enterprise);
-      }
-      snmp_get_sysuptime(&trap_msg.ts);
+      if (dst_if != NULL) {
+        ip_addr_copy(dst_ip, dst_if->ip_addr);
+        /* @todo: what about IPv6? */
+        trap_msg.sip_raw[0] = ip4_addr1(&dst_ip);
+        trap_msg.sip_raw[1] = ip4_addr2(&dst_ip);
+        trap_msg.sip_raw[2] = ip4_addr3(&dst_ip);
+        trap_msg.sip_raw[3] = ip4_addr4(&dst_ip);
+        trap_msg.gen_trap = generic_trap;
+        trap_msg.spc_trap = specific_trap;
+        if (generic_trap == SNMP_GENTRAP_ENTERPRISESPC)
+        {
+          /* enterprise-Specific trap */
+          trap_msg.enterprise = eoid;
+        }
+        else
+        {
+          /* generic (MIB-II) trap */
+          snmp_get_snmpgrpid_ptr(&trap_msg.enterprise);
+        }
+        snmp_get_sysuptime(&trap_msg.ts);
 
-      /* pass 0, calculate length fields */
-      tot_len = snmp_varbind_list_sum(&trap_msg.outvb);
-      tot_len = snmp_trap_header_sum(&trap_msg, tot_len);
+        /* pass 0, calculate length fields */
+        tot_len = snmp_varbind_list_sum(&trap_msg.outvb);
+        tot_len = snmp_trap_header_sum(&trap_msg, tot_len);
 
-      /* allocate pbuf(s) */
-      p = pbuf_alloc(PBUF_TRANSPORT, tot_len, PBUF_POOL);
-      if (p != NULL)
-      {
-        u16_t ofs;
+        /* allocate pbuf(s) */
+        p = pbuf_alloc(PBUF_TRANSPORT, tot_len, PBUF_POOL);
+        if (p != NULL)
+        {
+          u16_t ofs;
 
-        /* pass 1, encode packet ino the pbuf(s) */
-        ofs = snmp_trap_header_enc(&trap_msg, p);
-        snmp_varbind_list_enc(&trap_msg.outvb, p, ofs);
+          /* pass 1, encode packet ino the pbuf(s) */
+          ofs = snmp_trap_header_enc(&trap_msg, p);
+          snmp_varbind_list_enc(&trap_msg.outvb, p, ofs);
 
-        snmp_inc_snmpouttraps();
-        snmp_inc_snmpoutpkts();
+          snmp_inc_snmpouttraps();
+          snmp_inc_snmpoutpkts();
 
-        /** send to the TRAP destination */
-        udp_sendto(trap_msg.pcb, p, &trap_msg.dip, SNMP_TRAP_PORT);
+          /** send to the TRAP destination */
+          udp_sendto(trap_msg.pcb, p, &trap_msg.dip, SNMP_TRAP_PORT);
 
-        pbuf_free(p);
-      }
-      else
-      {
-        return ERR_MEM;
+          pbuf_free(p);
+        } else {
+          err = ERR_MEM;
+        }
+      } else {
+        /* routing error */
+        err = ERR_RTE;
       }
     }
   }
-  return ERR_OK;
+  return err;
 }
 
 void

From bab8c82a35f7aebe4d0304fca64e0b7d0950bf95 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Mon, 13 Aug 2012 21:50:15 +0200
Subject: [PATCH 5/7] fixed bug #36645: Calling dhcp_release before dhcp_start
 dereferences NULL

---
 CHANGELOG       | 4 ++++
 src/core/dhcp.c | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index ee04d033..b3f6890f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -80,6 +80,10 @@ HISTORY
 
  ++ Bugfixes:
 
+  2012-08-13: Simon Goldschmidt
+  * dhcp.c: fixed bug #36645: Calling dhcp_release before dhcp_start
+    dereferences NULL
+
   2012-08-13: Simon Goldschmidt
   * msg_out.c: fixed bug #36840 snmp_send_trap() NULL de-reference if traps
     configured but no interfaces available
diff --git a/src/core/dhcp.c b/src/core/dhcp.c
index 2851d712..f0f594f1 100644
--- a/src/core/dhcp.c
+++ b/src/core/dhcp.c
@@ -1164,6 +1164,9 @@ dhcp_release(struct netif *netif)
   err_t result;
   u16_t msecs;
   LWIP_DEBUGF(DHCP_DEBUG | LWIP_DBG_TRACE, ("dhcp_release()\n"));
+  if (dhcp == NULL) {
+    return ERR_ARG;
+  }
 
   /* idle DHCP client */
   dhcp_set_state(dhcp, DHCP_OFF);

From 8bab5435313d248fd9ac05b41189c3d82bed8588 Mon Sep 17 00:00:00 2001
From: Ivan Delamer <delamer@inicotech.com>
Date: Fri, 17 Aug 2012 10:56:14 -0600
Subject: [PATCH 6/7] Add a "NULL" output function for ipv6 by default, to
 avoid NULL dereferencing in case of non-IPv6-enabled netifs (e.g. PPP).

Change-Id: I45f08ca89bfa0b8d61962f7052b11cc81a5e3cd1
---
 src/core/netif.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/core/netif.c b/src/core/netif.c
index 90bbff48..7a8968a2 100644
--- a/src/core/netif.c
+++ b/src/core/netif.c
@@ -84,6 +84,10 @@ struct netif *netif_default;
 
 static u8_t netif_num;
 
+#if LWIP_IPV6
+static err_t netif_null_output_ip6(struct netif *netif, struct pbuf *p, ip6_addr_t *ipaddr);
+#endif /* LWIP_IPV6 */
+
 #if LWIP_HAVE_LOOPIF
 static struct netif loop_netif;
 
@@ -161,6 +165,7 @@ netif_add(struct netif *netif, ip_addr_t *ipaddr, ip_addr_t *netmask,
     ip6_addr_set_zero(&netif->ip6_addr[i]);
     netif_ip6_addr_set_state(netif, i, IP6_ADDR_INVALID);
   }
+  netif->output_ip6 = netif_null_output_ip6;
 #endif /* LWIP_IPV6 */
   netif->flags = 0;
 #if LWIP_DHCP
@@ -878,4 +883,14 @@ netif_create_ip6_linklocal_address(struct netif * netif, u8_t from_mac_48bit)
   netif->ip6_addr_state[0] = IP6_ADDR_PREFERRED;
 #endif /* LWIP_IPV6_AUTOCONFIG */
 }
+
+static err_t
+netif_null_output_ip6(struct netif *netif, struct pbuf *p, ip6_addr_t *ipaddr)
+{
+    (void)netif;
+    (void)pbuf;
+    (void)ipaddr;
+
+    return ERR_IF;
+}
 #endif /* LWIP_IPV6 */

From c762c06b171da3e073d6e77bac76b5f355ada97f Mon Sep 17 00:00:00 2001
From: Ivan Delamer <delamer@inicotech.com>
Date: Fri, 17 Aug 2012 11:24:18 -0600
Subject: [PATCH 7/7] Fixed typo in previous commit.

Change-Id: I97f85f4593509911829cfbbb6e309eecedd5465b
---
 src/core/netif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/netif.c b/src/core/netif.c
index 7a8968a2..f8133f76 100644
--- a/src/core/netif.c
+++ b/src/core/netif.c
@@ -888,7 +888,7 @@ static err_t
 netif_null_output_ip6(struct netif *netif, struct pbuf *p, ip6_addr_t *ipaddr)
 {
     (void)netif;
-    (void)pbuf;
+    (void)p;
     (void)ipaddr;
 
     return ERR_IF;