[lwip-users] netconn_aborted pointer in api_msg.c

Tue, 27 Sep 2016 20:40:48 -0700 

I have found a situation in lwIP STABLE-2_0_0 that can result in 
dereferencing a bad pointer. 

In api_msg.c, the function accept_function() posts dummy u8_t pointer 
&netconn_aborted after an error:

 if (newpcb == NULL) {
    /* out-of-pcbs during connect: pass on this error to the application 
*/
    if (sys_mbox_trypost(&conn->acceptmbox, (void*)&netconn_aborted) == 
ERR_OK) {
      /* Register event with callback */
      API_EVENT(conn, NETCONN_EVT_RCVPLUS, 0);
    }
    return ERR_VAL;
  }

  /* We have to set the callback here even though
   * the new socket is unknown. newconn->socket is marked as -1. */
  newconn = netconn_alloc(conn->type, conn->callback);
  if (newconn == NULL) {
    /* outof netconns: pass on this error to the application */
    if (sys_mbox_trypost(&conn->acceptmbox, (void*)&netconn_aborted) == 
ERR_OK) {
      /* Register event with callback */
      API_EVENT(conn, NETCONN_EVT_RCVPLUS, 0);
    }
    return ERR_MEM;
  }

Later other functions (for example netconn_drain() and netconn_free()) can 
receive &netconn_aborted from the mailbox and wrongly deference it as a 
(struct netconn *). 
Some elements of (struct netconn) are also pointers, so hard faults can 
quickly result.

My embedded application runs FreeRTOS on a lpc1768 (Cortex-M3) and 
supports Modbus.
To reproduce the problem, rapidly open and close sockets at a speed that 
can cause NETCONN memp errors.
  A) On an computer, Install modbus command line program "modpoll"
  B) In a script, loop modpoll reading a single register.  For example:

    #!/bin/bash
    c=1
    while [ $c -le 10000000 ]
    do
            modpoll -1 -r 86 192.168.1.88
            echo "Loops: $c"
            (( c++ ))
    done

    C) Startup multiple copies of the script.  For my setup, seven 
simultaneous scripts cause a hardfault within about a minute.


You might have another solution, but I was able to eliminate the hard 
faults by:
1) changing the declaration of netconn_aborted to
const struct netconn netconn_aborted;
2) adding the follow sanity check to the top of netconn_free() and 
netconn_drain():
  if (conn == &netconn_aborted) 
      return;

However, I still cannot re-establish communication after NETCONN MEMP 
errors. The NETCONN memory is never released.  Any advice is appreciated.

Thank you to all contributors of lwIP.

Greg
_______________________________________________
lwip-users mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/lwip-users

Reply via email to