From fa5ca55c9d788dbb2ba5d2d4debc90a215d0d038 Mon Sep 17 00:00:00 2001 From: Simon Goldschmidt Date: Wed, 12 May 2021 21:00:10 +0200 Subject: [PATCH] pbuf_realloc: check that mem_trim does not move the memory Our own implementation does not do this, but overridden implementations calling 'realloc()' might invalidly do this --- src/core/pbuf.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/core/pbuf.c b/src/core/pbuf.c index 7dda199f..e6027261 100644 --- a/src/core/pbuf.c +++ b/src/core/pbuf.c @@ -441,8 +441,11 @@ pbuf_realloc(struct pbuf *p, u16_t new_len) #endif /* LWIP_SUPPORT_CUSTOM_PBUF */ ) { /* reallocate and adjust the length of the pbuf that will be split */ - q = (struct pbuf *)mem_trim(q, (mem_size_t)(((u8_t *)q->payload - (u8_t *)q) + rem_len)); - LWIP_ASSERT("mem_trim returned q == NULL", q != NULL); + struct pbuf *r = (struct pbuf *)mem_trim(q, (mem_size_t)(((u8_t *)q->payload - (u8_t *)q) + rem_len)); + LWIP_ASSERT("mem_trim returned r == NULL", r != NULL); + /* help to detect faulty overridden implementation of mem_trim */ + LWIP_ASSERT("mem_trim returned r != q", r == q); + LWIP_UNUSED_ARG(r); } /* adjust length fields for new last pbuf */ q->len = rem_len;