[bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory

madhu
URL:
  <https://savannah.nongnu.org/bugs/?54744>

                 Summary: if altcp_close() called from recv() callback, there
is some write to freed memory
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: dgirault
            Submitted on: Thu 27 Sep 2018 03:07:36 PM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

When altcp_close() is called from the recv() handler installed by application
for an altcp mbedtls socket, the following problem occurs:

- in altcp_mbedtls_pass_rx_data(), state isn't valid anymore after
conn->recv() call, so it must not write null to state->rx_app.

- in altcp_mbedtls_handle_rx_appldata(), which call
altcp_mbedtls_pass_rx_data(), state may not be valid after this call. So loop
must be breaked.






    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54744>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory

madhu
Additional Item Attachment, bug #54744 (project lwip):

File name: altcp_tls_mbedtls.patch        Size:1 KB


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54744>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory

madhu
Follow-up Comment #1, bug #54744 (project lwip):

Sorry for the patch, not in good format nor made against upstream/master.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54744>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory

madhu
Update of bug #54744 (project lwip):

         Planned Release:                    None => 2.1.1                  


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54744>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory

madhu
Follow-up Comment #2, bug #54744 (project lwip):

I've added a patch applied against current master (don't have time to review
it right now, especially the part that checks if the app has called close...)

(file #45130)
    _______________________________________________________

Additional Item Attachment:

File name: 0001-bug-54744.patch           Size:2 KB


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54744>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54744] if altcp_close() called from recv() callback, there is some write to freed memory

madhu
Update of bug #54744 (project lwip):

                  Status:                    None => Fixed                  
             Assigned to:                    None => goldsimon              
             Open/Closed:                    Open => Closed                

    _______________________________________________________

Follow-up Comment #3:

Ok, sorry for taking nearly a month. Finally found the time to review this.

Pushed, thanks for the patch.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54744>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel