mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-06-30 18:09:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

* pbuf.c: Fix BUG#17645 - ensure pbuf payload pointer is not moved

Browse Source 
outside the region of the pbuf by pbuf_header()
This commit is contained in:
kieranm 2007-02-28 13:45:35 +00:00
parent c52ac01fbc
commit 5ace5976a1
2 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@ -38,6 +38,10 @@ HISTORY
++ Bug fixes:
2007-02-28 Kieran Mansley
* pbuf.c: Fix BUG#17645 - ensure pbuf payload pointer is not moved
outside the region of the pbuf by pbuf_header()
2007-02-28 Kieran Mansley
* sockets.c: Fix BUG#19161 - ensure milliseconds timeout is non-zero
when supplied timeout is also non-zero

17
src/core/pbuf.c
View File

@ -469,10 +469,25 @@ pbuf_header(struct pbuf *p, s16_t header_size_increment)
{
u16_t flags;
void *payload;
u16_t increment_magnitude;
LWIP_ASSERT("p != NULL", p != NULL);
if ((header_size_increment == 0) || (p == NULL)) return 0;
if (header_size_increment < 0){
increment_magnitude = -header_size_increment;
/* Check that we aren't going to move off the end of the pbuf */
LWIP_ASSERT("increment_magnitude <= p->len", increment_magnitude <= p->len);
} else {
increment_magnitude = header_size_increment;
/* Check that we've got the correct type of pbuf to work with */
LWIP_ASSERT("p->flags == PBUF_FLAG_RAM || p->flags == PBUF_FLAG_POOL",
p->flags == PBUF_FLAG_RAM || p->flags == PBUF_FLAG_POOL);
/* Check that we aren't going to move off the beginning of the pbuf */
LWIP_ASSERT("p->payload - increment_magnitude >= p + sizeof(struct pbuf)",
(u8_t *)p->payload - increment_magnitude >= (u8_t *)p + sizeof(struct pbuf));
}
flags = p->flags;
/* remember current payload pointer */
payload = p->payload;
@ -494,7 +509,7 @@ pbuf_header(struct pbuf *p, s16_t header_size_increment)
/* pbuf types refering to external payloads? */
} else if (flags == PBUF_FLAG_REF || flags == PBUF_FLAG_ROM) {
/* hide a header in the payload? */
if ((header_size_increment < 0) && (header_size_increment - p->len <= 0)) {
if ((header_size_increment < 0) && (increment_magnitude <= p->len)) {
/* increase payload pointer */
p->payload = (u8_t *)p->payload - header_size_increment;
} else {