Hi There,
I think I tracked down a bug in udp.c
I'm using MQX 4.1.1 along with the IPv6 Patch, and compiling RTCS with -Os
Using this, my devices crashes when receiving an IPv6 UDP multicast package, targeting a port I'm not listening to.
I will add the package 'of death' to this posting as tcpdump (pcap) file. I'm using tcpreplay to invoke the attack like this:
$ sudo tcpreplay --intf1=eth0 ~/Desktop/ipv6_udp_multicast_crash.pcapng
This bug vanishes when wrapping an RTCS function called UDP_service6() in -O0 pragmas, like this:
#pragma GCC optimize ("O0")
#if RTCSCFG_ENABLE_IP6
void UDP_service6
[...]
#endif
#pragma GCC optimize ("Os")
Can't say what's happening exactly, and what goes south when having the complete udp.c optimized by -Os, hope I can deliver further information later on...
Does anyone have a clue, or a suggestion for me?
Thanks a lot,
Martin
Original Attachment has been moved to: ipv6_udp_multicast_crash.pcapng.zip
Solved! Go to Solution.
I found a solution. If teh incoming package is not found by ip6_multicast_find_socket_entry, ucb_ptr is set to NULL, but used a few lines later.
So my solution is:
--- a/MQX/rtcs/source/tcpip/udp.c
+++ b/MQX/rtcs/source/tcpip/udp.c
@@ -1570,7 +1570,7 @@ void UDP_service6
* If scope_id of input packet is different from UCB scope_id set UCB to NULL and
* UCB to NULL, to discard packet and generate error.
*/
- if(ucb_ptr->IF_SCOPE_ID)
+ if(ucb_ptr && ucb_ptr->IF_SCOPE_ID)^M
{
if(ucb_ptr->IF_SCOPE_ID != error)
{
Funny thing -O0 did not crash my system, but -Os did...
cheers, Martin
I found a solution. If teh incoming package is not found by ip6_multicast_find_socket_entry, ucb_ptr is set to NULL, but used a few lines later.
So my solution is:
--- a/MQX/rtcs/source/tcpip/udp.c
+++ b/MQX/rtcs/source/tcpip/udp.c
@@ -1570,7 +1570,7 @@ void UDP_service6
* If scope_id of input packet is different from UCB scope_id set UCB to NULL and
* UCB to NULL, to discard packet and generate error.
*/
- if(ucb_ptr->IF_SCOPE_ID)
+ if(ucb_ptr && ucb_ptr->IF_SCOPE_ID)^M
{
if(ucb_ptr->IF_SCOPE_ID != error)
{
Funny thing -O0 did not crash my system, but -Os did...
cheers, Martin
Hi Martin,
Thanks for posting.
I will forward to our MQX Development team.
Regards,
David
fixed in MQX 4.2, no longer an issue here...
Hi David,
I war curious and checked MQX v4.2... A lot changed here, so I cannot verify if you already fixed it.
Unfortunately I cannot switch to v4.2 immediately because we need to purchase the IPv6 module first?
cheers, Martin