mirror of
https://github.com/lwip-tcpip/lwip.git
synced 2024-09-12 17:55:38 +00:00
Merge branch 'master' into ppp-new
This commit is contained in:
commit
bf37afd7c7
@ -145,6 +145,15 @@ HISTORY
|
|||||||
|
|
||||||
++ Bugfixes:
|
++ Bugfixes:
|
||||||
|
|
||||||
|
2014-01-10: Simon Goldschmidt
|
||||||
|
* ip_frag.c, ip6_frag.c: fixed bug #41041 Potential use-after-free in IPv6 reassembly
|
||||||
|
|
||||||
|
2014-01-10: Simon Goldschmidt
|
||||||
|
* memp.c: fixed bug #41188 Alignment error in memp_init() when MEMP_SEPARATE_POOLS==1
|
||||||
|
|
||||||
|
2014-01-10: Simon Goldschmidt
|
||||||
|
* tcp.c: fixed bug #39898 tcp_fasttmr() possible lock due to infinte queue process loop
|
||||||
|
|
||||||
2013-06-29: Simon Goldschmidt
|
2013-06-29: Simon Goldschmidt
|
||||||
* inet.h, sockets.h: partially fixed bug #37585: IPv6 compatibility (in socket structs)
|
* inet.h, sockets.h: partially fixed bug #37585: IPv6 compatibility (in socket structs)
|
||||||
|
|
||||||
|
@ -481,7 +481,6 @@ ip_reass(struct pbuf *p)
|
|||||||
struct ip_reass_helper *iprh;
|
struct ip_reass_helper *iprh;
|
||||||
u16_t offset, len;
|
u16_t offset, len;
|
||||||
u8_t clen;
|
u8_t clen;
|
||||||
struct ip_reassdata *ipr_prev = NULL;
|
|
||||||
|
|
||||||
IPFRAG_STATS_INC(ip_frag.recv);
|
IPFRAG_STATS_INC(ip_frag.recv);
|
||||||
snmp_inc_ipreasmreqds();
|
snmp_inc_ipreasmreqds();
|
||||||
@ -527,7 +526,6 @@ ip_reass(struct pbuf *p)
|
|||||||
IPFRAG_STATS_INC(ip_frag.cachehit);
|
IPFRAG_STATS_INC(ip_frag.cachehit);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
ipr_prev = ipr;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ipr == NULL) {
|
if (ipr == NULL) {
|
||||||
@ -565,6 +563,7 @@ ip_reass(struct pbuf *p)
|
|||||||
/* find the right place to insert this pbuf */
|
/* find the right place to insert this pbuf */
|
||||||
/* @todo: trim pbufs if fragments are overlapping */
|
/* @todo: trim pbufs if fragments are overlapping */
|
||||||
if (ip_reass_chain_frag_into_datagram_and_validate(ipr, p)) {
|
if (ip_reass_chain_frag_into_datagram_and_validate(ipr, p)) {
|
||||||
|
struct ip_reassdata *ipr_prev;
|
||||||
/* the totally last fragment (flag more fragments = 0) was received at least
|
/* the totally last fragment (flag more fragments = 0) was received at least
|
||||||
* once AND all fragments are received */
|
* once AND all fragments are received */
|
||||||
ipr->datagram_len += IP_HLEN;
|
ipr->datagram_len += IP_HLEN;
|
||||||
@ -592,6 +591,14 @@ ip_reass(struct pbuf *p)
|
|||||||
pbuf_cat(p, r);
|
pbuf_cat(p, r);
|
||||||
r = iprh->next_pbuf;
|
r = iprh->next_pbuf;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* find the previous entry in the linked list */
|
||||||
|
for (ipr_prev = reassdatagrams; ipr_prev != NULL; ipr = ipr->next) {
|
||||||
|
if (ipr_prev->next == ipr) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* release the sources allocate for the fragment queue entry */
|
/* release the sources allocate for the fragment queue entry */
|
||||||
ip_reass_dequeue_datagram(ipr, ipr_prev);
|
ip_reass_dequeue_datagram(ipr, ipr_prev);
|
||||||
|
|
||||||
|
@ -290,7 +290,14 @@ ip6_reass(struct pbuf *p)
|
|||||||
/* Make room and try again. */
|
/* Make room and try again. */
|
||||||
ip6_reass_remove_oldest_datagram(ipr, clen);
|
ip6_reass_remove_oldest_datagram(ipr, clen);
|
||||||
ipr = (struct ip6_reassdata *)memp_malloc(MEMP_IP6_REASSDATA);
|
ipr = (struct ip6_reassdata *)memp_malloc(MEMP_IP6_REASSDATA);
|
||||||
if (ipr == NULL)
|
if (ipr != NULL) {
|
||||||
|
/* re-search ipr_prev since it might have been removed */
|
||||||
|
for (ipr_prev = reassdatagrams; ipr_prev != NULL; ipr = ipr->next) {
|
||||||
|
if (ipr_prev->next == ipr) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else
|
||||||
#endif /* IP_REASS_FREE_OLDEST */
|
#endif /* IP_REASS_FREE_OLDEST */
|
||||||
{
|
{
|
||||||
IP6_FRAG_STATS_INC(ip6_frag.memerr);
|
IP6_FRAG_STATS_INC(ip6_frag.memerr);
|
||||||
@ -322,7 +329,14 @@ ip6_reass(struct pbuf *p)
|
|||||||
if ((ip6_reass_pbufcount + clen) > IP_REASS_MAX_PBUFS) {
|
if ((ip6_reass_pbufcount + clen) > IP_REASS_MAX_PBUFS) {
|
||||||
#if IP_REASS_FREE_OLDEST
|
#if IP_REASS_FREE_OLDEST
|
||||||
ip6_reass_remove_oldest_datagram(ipr, clen);
|
ip6_reass_remove_oldest_datagram(ipr, clen);
|
||||||
if ((ip6_reass_pbufcount + clen) > IP_REASS_MAX_PBUFS)
|
if ((ip6_reass_pbufcount + clen) <= IP_REASS_MAX_PBUFS) {
|
||||||
|
/* re-search ipr_prev since it might have been removed */
|
||||||
|
for (ipr_prev = reassdatagrams; ipr_prev != NULL; ipr = ipr->next) {
|
||||||
|
if (ipr_prev->next == ipr) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else
|
||||||
#endif /* IP_REASS_FREE_OLDEST */
|
#endif /* IP_REASS_FREE_OLDEST */
|
||||||
{
|
{
|
||||||
/* @todo: send ICMPv6 time exceeded here? */
|
/* @todo: send ICMPv6 time exceeded here? */
|
||||||
@ -335,6 +349,8 @@ ip6_reass(struct pbuf *p)
|
|||||||
|
|
||||||
/* Overwrite Fragment Header with our own helper struct. */
|
/* Overwrite Fragment Header with our own helper struct. */
|
||||||
iprh = (struct ip6_reass_helper *)p->payload;
|
iprh = (struct ip6_reass_helper *)p->payload;
|
||||||
|
LWIP_ASSERT("sizeof(struct ip6_reass_helper) <= IP6_FRAG_HLEN",
|
||||||
|
sizeof(struct ip6_reass_helper) <= IP6_FRAG_HLEN);
|
||||||
iprh->next_pbuf = NULL;
|
iprh->next_pbuf = NULL;
|
||||||
iprh->start = (offset & IP6_FRAG_OFFSET_MASK);
|
iprh->start = (offset & IP6_FRAG_OFFSET_MASK);
|
||||||
iprh->end = (offset & IP6_FRAG_OFFSET_MASK) + len;
|
iprh->end = (offset & IP6_FRAG_OFFSET_MASK) + len;
|
||||||
@ -456,6 +472,7 @@ ip6_reass(struct pbuf *p)
|
|||||||
|
|
||||||
if (valid) {
|
if (valid) {
|
||||||
/* All fragments have been received */
|
/* All fragments have been received */
|
||||||
|
u8_t* iphdr_ptr;
|
||||||
|
|
||||||
/* chain together the pbufs contained within the ip6_reassdata list. */
|
/* chain together the pbufs contained within the ip6_reassdata list. */
|
||||||
iprh = (struct ip6_reass_helper*) ipr->p->payload;
|
iprh = (struct ip6_reass_helper*) ipr->p->payload;
|
||||||
@ -504,13 +521,14 @@ ip6_reass(struct pbuf *p)
|
|||||||
LWIP_ASSERT("sanity check linked list", ipr_prev != NULL);
|
LWIP_ASSERT("sanity check linked list", ipr_prev != NULL);
|
||||||
ipr_prev->next = ipr->next;
|
ipr_prev->next = ipr->next;
|
||||||
}
|
}
|
||||||
|
iphdr_ptr = (u8_t*)ipr->iphdr;
|
||||||
memp_free(MEMP_IP6_REASSDATA, ipr);
|
memp_free(MEMP_IP6_REASSDATA, ipr);
|
||||||
|
|
||||||
/* adjust the number of pbufs currently queued for reassembly. */
|
/* adjust the number of pbufs currently queued for reassembly. */
|
||||||
ip6_reass_pbufcount -= pbuf_clen(p);
|
ip6_reass_pbufcount -= pbuf_clen(p);
|
||||||
|
|
||||||
/* Move pbuf back to IPv6 header. */
|
/* Move pbuf back to IPv6 header. */
|
||||||
if (pbuf_header(p, (u8_t*)p->payload - (u8_t*)ipr->iphdr)) {
|
if (pbuf_header(p, (u8_t*)p->payload - iphdr_ptr)) {
|
||||||
LWIP_ASSERT("ip6_reass: moving p->payload to ip6 header failed\n", 0);
|
LWIP_ASSERT("ip6_reass: moving p->payload to ip6 header failed\n", 0);
|
||||||
pbuf_free(p);
|
pbuf_free(p);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -371,7 +371,7 @@ memp_init(void)
|
|||||||
for (i = 0; i < MEMP_MAX; ++i) {
|
for (i = 0; i < MEMP_MAX; ++i) {
|
||||||
memp_tab[i] = NULL;
|
memp_tab[i] = NULL;
|
||||||
#if MEMP_SEPARATE_POOLS
|
#if MEMP_SEPARATE_POOLS
|
||||||
memp = (struct memp*)memp_bases[i];
|
memp = (struct memp*)LWIP_MEM_ALIGN(memp_bases[i]);
|
||||||
#endif /* MEMP_SEPARATE_POOLS */
|
#endif /* MEMP_SEPARATE_POOLS */
|
||||||
/* create a linked list of memp elements */
|
/* create a linked list of memp elements */
|
||||||
for (j = 0; j < memp_num[i]; ++j) {
|
for (j = 0; j < memp_num[i]; ++j) {
|
||||||
|
@ -1112,6 +1112,8 @@ tcp_fasttmr_start:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
pcb = next;
|
pcb = next;
|
||||||
|
} else {
|
||||||
|
pcb = pcb->next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user