From 974cf08e5dd801234ad69feb85eee1abef231309 Mon Sep 17 00:00:00 2001 From: goldsimon Date: Sun, 3 Jun 2007 11:32:03 +0000 Subject: [PATCH] udp_input(): Input pbuf was not freed if pcb had no recv function registered, p->payload was modified without modifying p->len if sending icmp_dest_unreach() (had no negative effect but was definitively wrong). --- CHANGELOG | 5 +++++ src/core/udp.c | 11 +++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 4c90d1a1..3513fbac 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -170,6 +170,11 @@ HISTORY ++ Bug fixes: + 2007-06-03 Simon Goldschmidt + * udp.c: udp_input(): Input pbuf was not freed if pcb had no recv function + registered, p->payload was modified without modifying p->len if sending + icmp_dest_unreach() (had no negative effect but was definitively wrong). + 2007-06-03 Simon Goldschmidt * icmp.c: Corrected bug #19937: For responding to an icmp echo request, icmp re-used the input pbuf even if that didn't have enough space to include the diff --git a/src/core/udp.c b/src/core/udp.c index 6193961c..5a5b2170 100644 --- a/src/core/udp.c +++ b/src/core/udp.c @@ -214,8 +214,14 @@ udp_input(struct pbuf *p, struct netif *inp) if (pcb != NULL) { snmp_inc_udpindatagrams(); /* callback */ - if (pcb->recv != NULL) + if (pcb->recv != NULL) { + /* now the recv function is responsible for freeing p */ pcb->recv(pcb->recv_arg, pcb, p, &(iphdr->src), src); + } else { + /* no recv function registered? then we have to free the pbuf! */ + pbuf_free(p); + goto end; + } } else { LWIP_DEBUGF(UDP_DEBUG | LWIP_DBG_TRACE, ("udp_input: not for us.\n")); @@ -226,7 +232,8 @@ udp_input(struct pbuf *p, struct netif *inp) !ip_addr_ismulticast(&iphdr->dest)) { /* restore pbuf pointer */ - p->payload = iphdr; + pbuf_header(p, (IPH_HL(iphdr) * 4)); + LWIP_ASSERT("p->payload == iphdr", (p->payload == iphdr)); icmp_dest_unreach(p, ICMP_DUR_PORT); } UDP_STATS_INC(udp.proterr);