From 887077b5a429ba1ff1a35ed9014449fb3b315f8d Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon>
Date: Wed, 16 May 2007 10:45:28 +0000
Subject: [PATCH] pbuf_alloc(PBUF_POOL): Added asserts to make sure payload+len
 is still in bound of the pbuf (also to make sure bug #15659 is fixed).

---
 src/core/pbuf.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/core/pbuf.c b/src/core/pbuf.c
index f010ae90..5225593a 100644
--- a/src/core/pbuf.c
+++ b/src/core/pbuf.c
@@ -165,6 +165,9 @@ pbuf_alloc(pbuf_layer l, u16_t length, pbuf_flag flag)
     p->tot_len = length;
     /* set the length of the first pbuf in the chain */
     p->len = length > PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset)? PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset): length;
+    LWIP_ASSERT("check p->payload + p->len does not overflow pbuf",
+                ((u8_t*)p->payload + p->len <
+                 (u8_t*)p + SIZEOF_STRUCT_PBUF + PBUF_POOL_BUFSIZE));
     /* set reference count (needed here in case we fail) */
     p->ref = 1;
 
@@ -195,6 +198,9 @@ pbuf_alloc(pbuf_layer l, u16_t length, pbuf_flag flag)
       q->payload = (void *)((u8_t *)q + SIZEOF_STRUCT_PBUF);
       LWIP_ASSERT("pbuf_alloc: pbuf q->payload properly aligned",
               ((mem_ptr_t)q->payload % MEM_ALIGNMENT) == 0);
+      LWIP_ASSERT("check p->payload + p->len does not overflow pbuf",
+                  ((u8_t*)p->payload + p->len <
+                   (u8_t*)p + SIZEOF_STRUCT_PBUF + PBUF_POOL_BUFSIZE));
       q->ref = 1;
       /* calculate remaining length to be allocated */
       rem_len -= q->len;