lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #57377] Assertion "pbuf_free: p->ref > 0" failed

From: Hiromasa Ito
Subject: [lwip-devel] [bug #57377] Assertion "pbuf_free: p->ref > 0" failed
Date: Sat, 7 Dec 2019 08:17:29 -0500 (EST)
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15 
URL:
  <https://savannah.nongnu.org/bugs/?57377>

                 Summary: Assertion "pbuf_free: p->ref > 0" failed
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: vhertz
            Submitted on: Sat 07 Dec 2019 01:17:27 PM UTC
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: Other

    _______________________________________________________

Details:

Hi, all.

This is one of the assertion failures I found by fuzzing (to lwIP
ver2.1.0.RC1).
The following LWIP_ASSERT() at lwip/src/core/pbuf.c:753 fails.


LWIP_ASSERT("pbuf_free: p->ref > 0", p->ref > 0);


>From my point of view, double-free of `p` causes this failure.
The following code is in tcp_split_unsent_seg().


seg = tcp_create_segment(pcb, p, remainder_flags,
lwip_ntohl(useg->tcphdr->seqno) + split, optflags);
  if (seg == NULL) {
    LWIP_DEBUGF(TCP_OUTPUT_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
                ("tcp_split_unsent_seg: could not create new TCP
segment\n"));
    goto memerr;
}


tcp_create_segment() calls pbuf_free() if no memory to allocate, and it
returns NULL.


memerr:
  TCP_STATS_INC(tcp.memerr);

  LWIP_ASSERT("seg == NULL", seg == NULL);
  if (p != NULL) {
    pbuf_free(p);
  }


If tcp_create_segment() has called pbuf_free(), this is 2nd pbuf_free() call.
As a result, the assertion fails.

You can reproduce this failure with 'crashed_inputs/006' attached to the
following message of lwip-devel:
https://lists.nongnu.org/archive/html/lwip-devel/2019-12/msg00013.html




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57377>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]