FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

unstable MQX software using ipv6 with -Os for udp.c

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

unstable MQX software using ipv6 with -Os for udp.c

Jump to solution
‎05-08-2015 05:39 AM
790 Views
m_bach
Contributor III

Hi There,

 

I think I tracked down a bug in udp.c

I'm using MQX 4.1.1 along with the IPv6 Patch, and compiling RTCS with -Os

Using this, my devices crashes when receiving an IPv6 UDP multicast package, targeting a port I'm not listening to.

I will add the package 'of death' to this posting as tcpdump (pcap) file. I'm using tcpreplay to invoke the attack like this:

    $ sudo tcpreplay --intf1=eth0 ~/Desktop/ipv6_udp_multicast_crash.pcapng

 

This bug vanishes when wrapping an RTCS function called UDP_service6() in -O0 pragmas, like this:

 

#pragma GCC optimize ("O0")

#if RTCSCFG_ENABLE_IP6

void UDP_service6

[...]

#endif

#pragma GCC optimize ("Os")

 

Can't say what's happening exactly, and what goes south when having the complete udp.c optimized by -Os, hope I can deliver further information later on...

Does anyone have a clue, or a suggestion for me?

 

Thanks a lot,

Martin

Original Attachment has been moved to: ipv6_udp_multicast_crash.pcapng.zip

Labels (1)
0 Kudos
Reply
1 Solution

Jump to solution
‎05-08-2015 06:02 AM
523 Views
m_bach
Contributor III

I found a solution. If teh incoming package is not found by  ip6_multicast_find_socket_entry, ucb_ptr is set to NULL, but used a few lines later.

So my solution is:

--- a/MQX/rtcs/source/tcpip/udp.c

+++ b/MQX/rtcs/source/tcpip/udp.c

@@ -1570,7 +1570,7 @@ void UDP_service6

      * If scope_id of input packet is different from UCB scope_id set UCB to NULL and

      * UCB to NULL, to discard packet and generate error.

      */

-    if(ucb_ptr->IF_SCOPE_ID)

+    if(ucb_ptr && ucb_ptr->IF_SCOPE_ID)^M

     {

         if(ucb_ptr->IF_SCOPE_ID != error)

         {

Funny thing -O0 did not crash my system, but -Os did...

cheers, Martin

View solution in original post

0001-udp-bugfix-derefencing-NULL-pointer-on-incoming-IPv6.patch.zip
0 Kudos
Reply
4 Replies

Jump to solution
‎05-08-2015 06:02 AM
524 Views
m_bach
Contributor III

I found a solution. If teh incoming package is not found by  ip6_multicast_find_socket_entry, ucb_ptr is set to NULL, but used a few lines later.

So my solution is:

--- a/MQX/rtcs/source/tcpip/udp.c

+++ b/MQX/rtcs/source/tcpip/udp.c

@@ -1570,7 +1570,7 @@ void UDP_service6

      * If scope_id of input packet is different from UCB scope_id set UCB to NULL and

      * UCB to NULL, to discard packet and generate error.

      */

-    if(ucb_ptr->IF_SCOPE_ID)

+    if(ucb_ptr && ucb_ptr->IF_SCOPE_ID)^M

     {

         if(ucb_ptr->IF_SCOPE_ID != error)

         {

Funny thing -O0 did not crash my system, but -Os did...

cheers, Martin

0001-udp-bugfix-derefencing-NULL-pointer-on-incoming-IPv6.patch.zip
0 Kudos
Reply

Jump to solution
‎05-08-2015 06:36 AM
523 Views
DavidS
NXP Employee
NXP Employee

Hi Martin,

Thanks for posting.

I will forward to our MQX Development team.

Regards,

David

0 Kudos
Reply

Jump to solution
‎06-19-2015 12:16 AM
523 Views
m_bach
Contributor III

fixed in MQX 4.2, no longer an issue here...

0 Kudos
Reply

Jump to solution
‎05-08-2015 07:34 AM
523 Views
m_bach
Contributor III

Hi David,

I war curious and checked MQX v4.2... A lot changed here, so I cannot verify if you already fixed it.

Unfortunately I cannot switch to v4.2 immediately because we need to purchase the IPv6 module first?

cheers, Martin

0 Kudos
Reply