[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-users] Infinite hang in tcp_slowtmr()
From: |
Sylvain Rochet |
Subject: |
Re: [lwip-users] Infinite hang in tcp_slowtmr() |
Date: |
Thu, 29 Oct 2015 20:38:05 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi,
On Thu, Oct 29, 2015 at 08:06:30PM +0530, Dinesh Pandey wrote:
> Looks like I found the cause of 'my' loop.
>
> I was calling tcp_close twice on a TCP PCB.
>
> The memp_free routine simply puts the TCP PCB at the head of the linked
> list. If memp_free is called twice with the same TCP PCB, the first element
> starts to points back to itself.
>
> When a new TCP connection is created, the memp_alloc will returns this
> looped member and you will end up with looped PCB linked list.
Indeed, this is actually a use after free security hole.
Sylvain
signature.asc
Description: Digital signature
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), (continued)
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Sylvain Rochet, 2015/10/12
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Stephen Cowell, 2015/10/15
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Sylvain Rochet, 2015/10/13
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Sylvain Rochet, 2015/10/13
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Enrico Murador - Research & Development - CET, 2015/10/14
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Stephen Cowell, 2015/10/14
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Enrico Murador - Research & Development - CET, 2015/10/14
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Sylvain Rochet, 2015/10/14
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Dinesh Pandey, 2015/10/23
- Re: [lwip-users] Infinite hang in tcp_slowtmr(), Dinesh Pandey, 2015/10/29
- Re: [lwip-users] Infinite hang in tcp_slowtmr(),
Sylvain Rochet <=