Hi,
A code change was made in two files almost exactly 1 year ago:
tcp_out.c revision 1.43
tcp_in.c revision 1.54
Applied fix patch for bug #2679.
http://savannah.nongnu.org/bugs/?func=detailitem&item_id=2679
I think the idea was to fix a checksum alignment problem. However, the fix is
not correct and should be removed (now that the
checksum alignment problem has been addressed in the checksum routine). In
tcp_out.c, the change was:
<<<<<
pcb->snd_buf -= len;
=====
/* FIX: Data split over odd boundaries */
pcb->snd_buf -= ((len+1) & ~0x1); /* Even the send buffer */
>>>>>
If snd_buf becomes an odd number (which is possible elsewhere in lwip), and the
application uses tcp_write() on that entire odd
amount, pcb->snd_buf underflows to 65535, crashing the application.
Regards,
Curt McDowell
Broadcom Corp.
_______________________________________________
lwip-users mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/lwip-users
