[bug #57481] Lease timeout timers overflow

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #57481] Lease timeout timers overflow

Simon Goldschmidt
URL:
  <https://savannah.nongnu.org/bugs/?57481>

                 Summary: Lease timeout timers overflow
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: sjanek
            Submitted on: Thu 26 Dec 2019 03:17:50 AM UTC
                Category: DHCP
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Hi,

I am not sure if its bug but:
in function called dhcp_bind there is assignation of timeouts to variables
(defined in struct dhcp):
t0_timeout
t1_timeout
t2_timeout
which are 16 bits, form variable timeout of size 32 bits.


For lease time one day the timeout is 86400 this value is out of range 16 bits
variable. I have timeouts received from router as follow:
t0=86400
t1=43200
t2=75600
this cause variable overflow and results that condition:
  /* If we have sub 1 minute lease, t2 and t1 will kick in at the same time.
*/
  if ((dhcp->t1_timeout >= dhcp->t2_timeout) && (dhcp->t2_timeout > 0)) {
    dhcp->t1_timeout = 0;
  }
is true.

Is a bug?




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57481>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #57481] Lease timeout timers overflow

Simon Goldschmidt
Update of bug #57481 (project lwip):

                  Status:                    None => Invalid                
             Assigned to:                    None => goldsimon              
             Open/Closed:                    Open => Closed                

    _______________________________________________________

Follow-up Comment #1:

I think your analysis is wrong: those timeout values are in
DHCP_COARSE_TIMER_SECS, which is one minute, so you have to divide your
overflow calculation by 60. So the maximum value for those timers will be ~45
days.

Also, the value is not just assigned. It is checked for overflow and limited
to 0xffff instead of overflowing.

In the old days where people actually cared for every byte, we decided that 45
days should be more than enough and it should be ok to trim here.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57481>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel