From 84502e5ae0d4aac26b41c212ef16af48105e136f Mon Sep 17 00:00:00 2001 From: Tim Cussins Date: Mon, 29 May 2017 14:53:47 +0100 Subject: [PATCH] etharp.c: Ensure etharp_query() allocates adequate pbuf if copying/consolidating. etharp_query() queues packets, instead of sending, if a relevant arp-request is pending. Code walks the packet (a pbuf chain) to determine whether any pbufs are marked 'volatile': If so, we cannot simply enqueue the packet, and instead allocate a new pbuf from RAM, copying the original packet, and enqueueing this new pbuf. The bug here is that the allocation refers to the tot_len field of a temp pbuf*, 'p', instead of the head, 'q'. In the case where the first pbuf of the chain is non-volatile but the second pbuf *is* volatile, then we'll request an allocation that uses the tot_len field of the second pbuf. If the first pbuf is non-zero length, the allocated pbuf (chain) will be too small to allow the copy. Signed-off-by: goldsimon --- src/core/ipv4/etharp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/ipv4/etharp.c b/src/core/ipv4/etharp.c index b195e262..e5fdeafe 100644 --- a/src/core/ipv4/etharp.c +++ b/src/core/ipv4/etharp.c @@ -1009,7 +1009,7 @@ etharp_query(struct netif *netif, const ip4_addr_t *ipaddr, struct pbuf *q) } if (copy_needed) { /* copy the whole packet into new pbufs */ - p = pbuf_alloc(PBUF_LINK, p->tot_len, PBUF_RAM); + p = pbuf_alloc(PBUF_LINK, q->tot_len, PBUF_RAM); if (p != NULL) { if (pbuf_copy(p, q) != ERR_OK) { pbuf_free(p);