[En-Nut-Discussion] Malformed TCP packet and memory leak in low-memory situations

Marti Raudsepp marti at voicecom.ee
Mon Mar 22 16:16:14 CET 2010


Hi list,

It seems that I have found a memory leak in Nut/OS TCP code that
occurs in low-memory situations. This applies to Nut/OS 4.8.6

First, line 368 of NutTcpOutput does this:
  nb_clone = NutNetBufClone (nb);
And then:
  NutIpOutput(IPPROTO_TCP, sock->so_remote_addr, nb_clone)

This function starts out like:
    if ((nb = NutNetBufAlloc(nb, NBAF_NETWORK, sizeof(IPHDR))) == 0)
        return -1;

Now, consider that when transmitting large packets, NutNetBufClone
will fail; so a NULL pointer is passed into NutIpOutput, and then into
NutNetBufAlloc

When nb==NULL, but when there's still enough memory for IP and
Ethernet headers, NutNetBufAlloc allocates a new NETBUF, and
NutIpOutput proceeds to transmit a bogus packet onto the wire, without
an actual TCP header (for some reason, the TCP header is is zeroed
out, not missing).

Since the transmission was successful, NutIpOutput returns 0, but the
caller was never aware of the newly-allocated NETBUF, so this memory
is leaked.

I have captured this packet in Wireshark:

0000  00 18 8b d8 47 7a 00 06  98 30 00 89 08 00 45 00   ....Gz.. .0....E.
0010  00 14 01 3d 00 00 40 06  f6 b4 c0 a8 00 ba c0 a8   ...=.. at . ........
0020  00 e8 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0030  00 00 00 00 00 00 00 00  00 00 00 00               ........ ....

All of this can be avoided by adding an if(nb==NULL) return -1; check
to the beginning of NutIpOutput, or into checking nb_clone in
NutTcpOutput.


Regards,
Marti Raudsepp
voicecom.ee



More information about the En-Nut-Discussion mailing list