[En-Nut-Discussion] FYI: Integer overflow in tcp socket write function fixed

Coleman Brumley cbrumley at polarsoft.biz
Tue Sep 29 23:01:12 CEST 2015


Ole,

I realize the patch is in SVN, but from a Nut/OS user perspective when
browsing this forum for issues it's nice when the patch is also available.
It's nice to see the patch in the context of the problem it solves. 

So, could you send the patch to the list please?

Coleman

> -----Original Message-----
> From: en-nut-discussion-bounces at egnite.de [mailto:en-nut-discussion-
> bounces at egnite.de] On Behalf Of Ole Reinhardt
> Sent: Tuesday, September 29, 2015 4:30 PM
> To: en-nut-discussion at egnite.de
> Subject: [En-Nut-Discussion] FYI: Integer overflow in tcp socket write
> function fixed
> 
> Hi all,
> 
> I fixed another long time hidden bug in the TCP socket code.
> 
> There had been two integer overflow in NutTcpDeviceWrite() and
> NutTcpReceive()
> 
> Both functions suffered from size calculations based on uint16_t
variables,
> which resulted in integer overflows, when calling these functions with
buffer
> sizes > 64K.
> 
> As result NutTcpDeviceWrite() send out the wrong number of bytes, but
> always returned, that it correctly wrote the whole buffer size.
> 
> So when calling write() or fwrite() on a socket with a buffer larger than
64K
> you likely would have lost data on the socket.
> 
> Same could perhaps have happened when calling fread() or read() on a
> socket with large buffers.
> 
> The fix is implemented in trunk rev. r6143.
> 
> best regards,
> 
> Ole Reinhardt
> 
> 
> --
> kernel concepts GmbH            Tel: +49-271-771091-14
> Sieghuetter Hauptweg 48         Mob: +49-177-7420433
> D-57072 Siegen
> http://www.embedded-it.de
> http://www.kernelconcepts.de
> _______________________________________________
> http://lists.egnite.de/mailman/listinfo/en-nut-discussion



More information about the En-Nut-Discussion mailing list