[En-Nut-Discussion] FYI: Integer overflow in tcp socket write function fixed

Ole Reinhardt ole.reinhardt at embedded-it.de
Tue Sep 29 22:29:54 CEST 2015


Hi all,

I fixed another long time hidden bug in the TCP socket code.

There had been two integer overflow in NutTcpDeviceWrite() and
NutTcpReceive()

Both functions suffered from size calculations based on uint16_t
variables, which resulted in integer overflows, when calling these
functions with buffer sizes > 64K.

As result NutTcpDeviceWrite() send out the wrong number of bytes, but
always returned, that it correctly wrote the whole buffer size.

So when calling write() or fwrite() on a socket with a buffer larger
than 64K you likely would have lost data on the socket.

Same could perhaps have happened when calling fread() or read() on a
socket with large buffers.

The fix is implemented in trunk rev. r6143.

best regards,

Ole Reinhardt


-- 
kernel concepts GmbH            Tel: +49-271-771091-14
Sieghuetter Hauptweg 48         Mob: +49-177-7420433
D-57072 Siegen
http://www.embedded-it.de
http://www.kernelconcepts.de


More information about the En-Nut-Discussion mailing list