[Click] unsafe write in dequeue.cc, problem with Packet::shift_data
Eddie Kohler
kohler at cs.ucla.edu
Wed Jun 18 16:14:40 EDT 2008
Ulf,
Thanks so much for these patches!!
- I've fixed the DEQueue problem you reported, but in a different way.
reserve() was called incorrectly in two places (the other being
resize()), so I just changed reserve()'s behavior.
- The misbehavior you report with Packet::shift_data() was still present
in our current code. I addressed this in a different way -- making a
copy on EVERY shift seems extreme, and copying all headroom and tailroom
seems unnecessary. Instead, the current code ensures that any
mac_header() data is preserved. Would this help?
Both patches are checked in to git. Thanks!
Eddie
Ulf Hermann wrote:
> Hi,
>
> First of all, thanks a lot for your work on click. It really helped me
> with my diploma thesis. However, while working with it, I found two
> problems. First, there is an error in the click dequeue implementation.
> In operator= it reserves too little memory, resulting in _tail being out
> of range and subsequently writing to memory it hasn't allocated. The
> following small patch to dequeue.cc fixes that:
>
> 50c50
> < if (reserve(o._n)) {
> ---
>> if (reserve(o._n + 1)) {
>
> Also I found a problem with Packet::shift_data, but in the meantime you
> have changed that function yourself and I don't know if that fixes my
> problem. I'll just post my solution, based on click 1.5.0, here - see
> the attached packet.diff. It's basically replacing a section of code
> with a comment describing the problem, so it should be self-explanatory.
>
> sincerely,
> Ulf Hermann
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> click mailing list
> click at amsterdam.lcs.mit.edu
> https://amsterdam.lcs.mit.edu/mailman/listinfo/click
More information about the click
mailing list