Bug in mem_realloc (patch included)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug in mem_realloc (patch included)

Per-Henrik Lundblom
Hi,

Just spent a couple of hours figuring out what the heck my system was
doing. Turned out there's a bug in the mem_realloc(). The bug appears at
least in the CVS head version and seems to be have been introduced when
the plug_holes() call was removed from me_realloc().

Problem appers if you realloc the last used mem block in the heap.
Todays code just creates a new struct mem for the empty unused block
that represents the unused heap. The problem is that the lfree variable
that should point to the last unused block (in this case the block we
move) isn't updated. As a result lfree points to an invalid mem block.

Patch:

diff -ru lwip/src/core/mem.c lwip-patched/src/core/mem.c
--- lwip/src/core/mem.c 2007-09-15 13:34:06.000000000 +0200
+++ lwip-patched/src/core/mem.c 2007-10-08 16:41:25.008750000 +0200
@@ -341,6 +341,9 @@
     next = mem2->next;
     /* create new struct mem which is moved directly after the shrinked
 * mem */
     ptr2 = ptr + SIZEOF_STRUCT_MEM + newsize;
+    if (lfree == mem2) {
+      lfree = (struct mem *)&ram[ptr2];
+    }
     mem2 = (struct mem *)&ram[ptr2];
     mem2->used = 0;
     /* restore the next pointer */

Should I submit a bug report too?

/PH

--
Per-Henrik Lundblom           epost: [hidden email]
telefon: 0733-20 71 26        hemsida: www.whatever.nu


_______________________________________________
lwip-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/lwip-users

mem_realloc.patch (538 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bug in mem_realloc (patch included)

goldsimon@gmx.de
Hi PH,

> Just spent a couple of hours figuring out what the heck my system was
> doing. Turned out there's a bug in the mem_realloc(). The bug appears at
> least in the CVS head version and seems to be have been introduced when
> the plug_holes() call was removed from me_realloc().
>
> Problem appers if you realloc the last used mem block in the heap.
> Todays code just creates a new struct mem for the empty unused block
> that represents the unused heap. The problem is that the lfree variable
> that should point to the last unused block (in this case the block we
> move) isn't updated. As a result lfree points to an invalid mem block.
Thanks for the bug report. The 'else' below in mem_realloc was missing
an lfree update also.
That file has been hard work for some people already ;-)
> Should I submit a bug report too?
>  
It's the normal way to do with a bug report like yours, yes (to prevent
it from being lost on the mailing list).
But since I already fixed it in CVS HEAD, there's no need to do that now.

Thanks again,
Simon


_______________________________________________
lwip-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

RE: Bug in mem_realloc (patch included)

Nitin AGARWAL-2
Hi Simon,

Could you send me the updated mem.c file (with updated if/else condition).

Thanks & Regards,
Nitin


-----Original Message-----
From: lwip-users-bounces+nitin-dlh.agarwal=[hidden email]
[mailto:lwip-users-bounces+nitin-dlh.agarwal=[hidden email]] On Behalf Of
[hidden email]
Sent: Tuesday, October 09, 2007 12:09 AM
To: Mailing list for lwIP users
Subject: Re: [lwip-users] Bug in mem_realloc (patch included)

Hi PH,

> Just spent a couple of hours figuring out what the heck my system was
> doing. Turned out there's a bug in the mem_realloc(). The bug appears
> at least in the CVS head version and seems to be have been introduced
> when the plug_holes() call was removed from me_realloc().
>
> Problem appers if you realloc the last used mem block in the heap.
> Todays code just creates a new struct mem for the empty unused block
> that represents the unused heap. The problem is that the lfree
> variable that should point to the last unused block (in this case the
> block we
> move) isn't updated. As a result lfree points to an invalid mem block.
Thanks for the bug report. The 'else' below in mem_realloc was missing an
lfree update also.
That file has been hard work for some people already ;-)
> Should I submit a bug report too?
>  
It's the normal way to do with a bug report like yours, yes (to prevent it
from being lost on the mailing list).
But since I already fixed it in CVS HEAD, there's no need to do that now.

Thanks again,
Simon


_______________________________________________
lwip-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/lwip-users



_______________________________________________
lwip-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/lwip-users
Reply | Threaded
Open this post in threaded view
|

RE: Bug in mem_realloc (patch included)

Goldschmidt Simon
> Could you send me the updated mem.c file (with updated
> if/else condition).

It's available in WebCVS:
http://cvs.savannah.nongnu.org/viewvc/*checkout*/lwip/src/core/mem.c?rev
ision=1.51&root=lwip

Or
http://cvs.savannah.nongnu.org/viewvc/lwip/src/core/mem.c?root=lwip&view
=log for an overview of the revisions.


_______________________________________________
lwip-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/lwip-users