dhcp: Clear flags

Do not assume that mem_malloc() returns cleared memory.
tcp: Fix TCP timestamps for big-endian systems
2025-08-03 21:14:40 +08:00 · 2025-08-03 11:35:52 +02:00 · 2025-08-03 11:33:53 +02:00 · 2025-08-03 11:24:55 +02:00 · 2025-07-15 22:09:27 +02:00 · 2025-06-03 21:04:39 +02:00
17 changed files with 93 additions and 85 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -25,7 +25,7 @@ jobs:
    #   - https://gh.io/supported-runners-and-hardware-resources
    #   - https://gh.io/using-larger-runners
    # Consider using larger runners for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-20.04' }}
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
    permissions:
      actions: read
--- a/5
+++ b/5
@ -6,6 +6,11 @@ HISTORY

  * [Enter new changes just after this line - do not remove this line]

+  ++ Bugfixes:
+
+  2025-06-03: Simon Goldschmidt
+  * ip4_frag/ip6_frag: fix potential NULL-pointer access on memory errors
+
 (STABLE-2.2.1):

  ++ New features:
--- a/doc/doxygen/lwip.Doxyfile
+++ b/doc/doxygen/lwip.Doxyfile
@ -38,7 +38,7 @@ PROJECT_NAME           = "lwIP"
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = "2.2.1"
+PROJECT_NUMBER         = "2.2.2.dev"

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
--- a/src/Filelists.cmake
+++ b/src/Filelists.cmake
@ -14,11 +14,11 @@ endif()

 set(LWIP_VERSION_MAJOR    "2")
 set(LWIP_VERSION_MINOR    "2")
-set(LWIP_VERSION_REVISION "1")
+set(LWIP_VERSION_REVISION "2")
 # LWIP_VERSION_RC is set to LWIP_RC_RELEASE for official releases
 # LWIP_VERSION_RC is set to LWIP_RC_DEVELOPMENT for Git versions
 # Numbers 1..31 are reserved for release candidates
-set(LWIP_VERSION_RC       "LWIP_RC_RELEASE")
+set(LWIP_VERSION_RC       "LWIP_RC_DEVELOPMENT")

 if ("${LWIP_VERSION_RC}" STREQUAL "LWIP_RC_RELEASE")
    set(LWIP_VERSION_STRING
--- a/src/apps/http/altcp_proxyconnect.c
+++ b/src/apps/http/altcp_proxyconnect.c
@ -576,6 +576,10 @@ const struct altcp_functions altcp_proxyconnect_functions = {
  altcp_default_get_tcp_addrinfo,
  altcp_default_get_ip,
  altcp_default_get_port
+#if LWIP_TCP_KEEPALIVE
+  , altcp_default_keepalive_disable
+  , altcp_default_keepalive_enable
+#endif
 #ifdef LWIP_DEBUG
  , altcp_default_dbg_get_tcp_state
 #endif
--- a/src/apps/http/httpd.c
+++ b/src/apps/http/httpd.c
@ -120,7 +120,6 @@
 #define CRLF "\r\n"
 #if LWIP_HTTPD_SUPPORT_11_KEEPALIVE
 #define HTTP11_CONNECTIONKEEPALIVE  "Connection: keep-alive"
-#define HTTP11_CONNECTIONKEEPALIVE2 "Connection: Keep-Alive"
 #endif

 #if LWIP_HTTPD_DYNAMIC_FILE_READ
@ -2100,8 +2099,7 @@ http_parse_request(struct pbuf *inp, struct http_state *hs, struct altcp_pcb *pc
 #if LWIP_HTTPD_SUPPORT_11_KEEPALIVE
          /* This is HTTP/1.0 compatible: for strict 1.1, a connection
             would always be persistent unless "close" was specified. */
-          if (!is_09 && (lwip_strnistr(data, HTTP11_CONNECTIONKEEPALIVE, data_len) ||
-                         lwip_strnistr(data, HTTP11_CONNECTIONKEEPALIVE2, data_len))) {
+          if (!is_09 && lwip_strnistr(data, HTTP11_CONNECTIONKEEPALIVE, data_len)) {
            hs->keepalive = 1;
          } else {
            hs->keepalive = 0;
--- a/src/apps/snmp/snmp_asn1.c
+++ b/src/apps/snmp/snmp_asn1.c
@ -463,14 +463,8 @@ snmp_asn1_dec_s32t(struct snmp_pbuf_stream *pbuf_stream, u16_t len, s32_t *value
  if ((len > 0) && (len < 5)) {
    PBUF_OP_EXEC(snmp_pbuf_stream_read(pbuf_stream, &data));

-    if (data & 0x80) {
-      /* negative, start from -1 */
-      *value = -1;
-      *value = (*value << 8) | data;
-    } else {
-      /* positive, start from 0 */
-      *value = data;
-    }
+    /* sign extension */
+    *value = (s8_t)data;
    len--;
    /* shift in the remaining value */
    while (len > 0) {
--- a/src/apps/tftp/tftp.c
+++ b/src/apps/tftp/tftp.c
@ -454,10 +454,12 @@ tftp_init_common(u8_t mode, const struct tftp_context *ctx)
    return ERR_MEM;
  }

-  ret = udp_bind(pcb, IP_ANY_TYPE, TFTP_PORT);
-  if (ret != ERR_OK) {
-    udp_remove(pcb);
-    return ret;
+  if (mode & LWIP_TFTP_MODE_SERVER) {
+    ret = udp_bind(pcb, IP_ANY_TYPE, TFTP_PORT);
+    if (ret != ERR_OK) {
+      udp_remove(pcb);
+      return ret;
+    }
  }

  tftp_state.handle    = NULL;
--- a/src/core/ipv4/autoip.c
+++ b/src/core/ipv4/autoip.c
@ -223,9 +223,10 @@ autoip_conflict_callback(struct netif *netif, acd_callback_enum_t state)
      autoip_restart(netif);
      break;
    case ACD_DECLINE:
-      /* "delete" conflicting address so a new one will be selected in
-       * autoip_start() */
+      /* "delete" conflicting address and increment tried addr so a new one
+       * will be selected in autoip_start() */
      ip4_addr_set_any(&autoip->llipaddr);
+      autoip->tried_llipaddr++;
      autoip_stop(netif);
      break;
      default:
--- a/src/core/ipv4/dhcp.c
+++ b/src/core/ipv4/dhcp.c
@ -773,9 +773,6 @@ dhcp_set_struct(struct netif *netif, struct dhcp *dhcp)
 * @ingroup dhcp4
 * Removes a struct dhcp from a netif.
 *
- * ATTENTION: Only use this when not using dhcp_set_struct() to allocate the
- *            struct dhcp since the memory is passed back to the heap.
- *
 * @param netif the netif from which to remove the struct dhcp
 */
 void dhcp_cleanup(struct netif *netif)
@ -811,6 +808,7 @@ dhcp_start(struct netif *netif)
 {
  struct dhcp *dhcp;
  err_t result;
+  u8_t saved_flags;

  LWIP_ASSERT_CORE_LOCKED();
  LWIP_ERROR("netif != NULL", (netif != NULL), return ERR_ARG;);
@ -833,6 +831,8 @@ dhcp_start(struct netif *netif)
      return ERR_MEM;
    }

+    /* clear the flags, the rest is cleared below */
+    dhcp->flags = 0;
    /* store this dhcp client in the netif */
    netif_set_client_data(netif, LWIP_NETIF_CLIENT_DATA_INDEX_DHCP, dhcp);
    LWIP_DEBUGF(DHCP_DEBUG | LWIP_DBG_TRACE, ("dhcp_start(): allocated dhcp\n"));
@ -846,9 +846,10 @@ dhcp_start(struct netif *netif)
    /* dhcp is cleared below, no need to reset flag*/
  }

-  /* clear data structure */
+  /* clear data structure but preserve DHCP_FLAG_EXTERNAL_MEM for dhcp_cleanup() */
+  saved_flags = dhcp->flags;
  memset(dhcp, 0, sizeof(struct dhcp));
-  /* dhcp_set_state(&dhcp, DHCP_STATE_OFF); */
+  dhcp->flags = saved_flags & DHCP_FLAG_EXTERNAL_MEM;


 #if LWIP_DHCP_DOES_ACD_CHECK
--- a/src/core/ipv4/etharp.c
+++ b/src/core/ipv4/etharp.c
@ -940,9 +940,9 @@ etharp_query(struct netif *netif, const ip4_addr_t *ipaddr, struct pbuf *q)
  netif_addr_idx_t i;

  /* non-unicast address? */
-  if (ip4_addr_isbroadcast(ipaddr, netif) ||
-      ip4_addr_ismulticast(ipaddr) ||
-      ip4_addr_isany(ipaddr)) {
+  if (ip4_addr_isany(ipaddr) ||
+      ip4_addr_isbroadcast(ipaddr, netif) ||
+      ip4_addr_ismulticast(ipaddr)) {
    LWIP_DEBUGF(ETHARP_DEBUG | LWIP_DBG_TRACE, ("etharp_query: will not add non-unicast IP address to ARP cache\n"));
    return ERR_ARG;
  }
--- a/src/core/ipv4/ip4_frag.c
+++ b/src/core/ipv4/ip4_frag.c
@ -175,19 +175,21 @@ ip_reass_free_complete_datagram(struct ip_reassdata *ipr, struct ip_reassdata *p

  MIB2_STATS_INC(mib2.ipreasmfails);
 #if LWIP_ICMP
-  iprh = (struct ip_reass_helper *)ipr->p->payload;
-  if (iprh->start == 0) {
-    /* The first fragment was received, send ICMP time exceeded. */
-    /* First, de-queue the first pbuf from r->p. */
-    p = ipr->p;
-    ipr->p = iprh->next_pbuf;
-    /* Then, copy the original header into it. */
-    SMEMCPY(p->payload, &ipr->iphdr, IP_HLEN);
-    icmp_time_exceeded(p, ICMP_TE_FRAG);
-    clen = pbuf_clen(p);
-    LWIP_ASSERT("pbufs_freed + clen <= 0xffff", pbufs_freed + clen <= 0xffff);
-    pbufs_freed = (u16_t)(pbufs_freed + clen);
-    pbuf_free(p);
+  if (ipr->p != NULL) {
+    iprh = (struct ip_reass_helper *)ipr->p->payload;
+    if (iprh->start == 0) {
+      /* The first fragment was received, send ICMP time exceeded. */
+      /* First, de-queue the first pbuf from r->p. */
+      p = ipr->p;
+      ipr->p = iprh->next_pbuf;
+      /* Then, copy the original header into it. */
+      SMEMCPY(p->payload, &ipr->iphdr, IP_HLEN);
+      icmp_time_exceeded(p, ICMP_TE_FRAG);
+      clen = pbuf_clen(p);
+      LWIP_ASSERT("pbufs_freed + clen <= 0xffff", pbufs_freed + clen <= 0xffff);
+      pbufs_freed = (u16_t)(pbufs_freed + clen);
+      pbuf_free(p);
+    }
  }
 #endif /* LWIP_ICMP */

--- a/src/core/ipv6/ip6_frag.c
+++ b/src/core/ipv6/ip6_frag.c
@ -154,35 +154,37 @@ ip6_reass_free_complete_datagram(struct ip6_reassdata *ipr)
  struct ip6_reass_helper *iprh;

 #if LWIP_ICMP6
-  iprh = (struct ip6_reass_helper *)ipr->p->payload;
-  if (iprh->start == 0) {
-    /* The first fragment was received, send ICMP time exceeded. */
-    /* First, de-queue the first pbuf from r->p. */
-    p = ipr->p;
-    ipr->p = iprh->next_pbuf;
-    /* Restore the part that we've overwritten with our helper structure, or we
-     * might send garbage (and disclose a pointer) in the ICMPv6 reply. */
-    MEMCPY(p->payload, ipr->orig_hdr, sizeof(*iprh));
-    /* Then, move back to the original ipv6 header (we are now pointing to Fragment header).
-       This cannot fail since we already checked when receiving this fragment. */
-    if (pbuf_header_force(p, (s16_t)((u8_t*)p->payload - (u8_t*)ipr->iphdr))) {
-      LWIP_ASSERT("ip6_reass_free: moving p->payload to ip6 header failed", 0);
+  if (ipr->p != NULL) {
+    iprh = (struct ip6_reass_helper *)ipr->p->payload;
+    if (iprh->start == 0) {
+      /* The first fragment was received, send ICMP time exceeded. */
+      /* First, de-queue the first pbuf from r->p. */
+      p = ipr->p;
+      ipr->p = iprh->next_pbuf;
+      /* Restore the part that we've overwritten with our helper structure, or we
+       * might send garbage (and disclose a pointer) in the ICMPv6 reply. */
+      MEMCPY(p->payload, ipr->orig_hdr, sizeof(*iprh));
+      /* Then, move back to the original ipv6 header (we are now pointing to Fragment header).
+         This cannot fail since we already checked when receiving this fragment. */
+      if (pbuf_header_force(p, (s16_t)((u8_t*)p->payload - (u8_t*)ipr->iphdr))) {
+        LWIP_ASSERT("ip6_reass_free: moving p->payload to ip6 header failed", 0);
+      }
+      else {
+        /* Reconstruct the zoned source and destination addresses, so that we do
+         * not end up sending the ICMP response over the wrong link. */
+        ip6_addr_t src_addr, dest_addr;
+        ip6_addr_copy_from_packed(src_addr, IPV6_FRAG_SRC(ipr));
+        ip6_addr_set_zone(&src_addr, ipr->src_zone);
+        ip6_addr_copy_from_packed(dest_addr, IPV6_FRAG_DEST(ipr));
+        ip6_addr_set_zone(&dest_addr, ipr->dest_zone);
+        /* Send the actual ICMP response. */
+        icmp6_time_exceeded_with_addrs(p, ICMP6_TE_FRAG, &src_addr, &dest_addr);
+      }
+      clen = pbuf_clen(p);
+      LWIP_ASSERT("pbufs_freed + clen <= 0xffff", pbufs_freed + clen <= 0xffff);
+      pbufs_freed = (u16_t)(pbufs_freed + clen);
+      pbuf_free(p);
    }
-    else {
-      /* Reconstruct the zoned source and destination addresses, so that we do
-       * not end up sending the ICMP response over the wrong link. */
-      ip6_addr_t src_addr, dest_addr;
-      ip6_addr_copy_from_packed(src_addr, IPV6_FRAG_SRC(ipr));
-      ip6_addr_set_zone(&src_addr, ipr->src_zone);
-      ip6_addr_copy_from_packed(dest_addr, IPV6_FRAG_DEST(ipr));
-      ip6_addr_set_zone(&dest_addr, ipr->dest_zone);
-      /* Send the actual ICMP response. */
-      icmp6_time_exceeded_with_addrs(p, ICMP6_TE_FRAG, &src_addr, &dest_addr);
-    }
-    clen = pbuf_clen(p);
-    LWIP_ASSERT("pbufs_freed + clen <= 0xffff", pbufs_freed + clen <= 0xffff);
-    pbufs_freed = (u16_t)(pbufs_freed + clen);
-    pbuf_free(p);
  }
 #endif /* LWIP_ICMP6 */

--- a/src/core/tcp_in.c
+++ b/src/core/tcp_in.c
@ -1993,17 +1993,17 @@ tcp_parseopt(struct tcp_pcb *pcb)
            return;
          }
          /* TCP timestamp option with valid length */
-          tsval = tcp_get_next_optbyte();
-          tsval |= (tcp_get_next_optbyte() << 8);
+          tsval = (tcp_get_next_optbyte() << 24);
          tsval |= (tcp_get_next_optbyte() << 16);
-          tsval |= (tcp_get_next_optbyte() << 24);
+          tsval |= (tcp_get_next_optbyte() << 8);
+          tsval |= tcp_get_next_optbyte();
          if (flags & TCP_SYN) {
-            pcb->ts_recent = lwip_ntohl(tsval);
+            pcb->ts_recent = tsval;
            /* Enable sending timestamps in every segment now that we know
               the remote host supports it. */
            tcp_set_flags(pcb, TF_TIMESTAMP);
          } else if (TCP_SEQ_BETWEEN(pcb->ts_lastacksent, seqno, seqno + tcplen)) {
-            pcb->ts_recent = lwip_ntohl(tsval);
+            pcb->ts_recent = tsval;
          }
          /* Advance to next option (6 bytes already read) */
          tcp_optidx += LWIP_TCP_OPT_LEN_TS - 6;
--- a/src/include/lwip/init.h
+++ b/src/include/lwip/init.h
@ -54,11 +54,11 @@ extern "C" {
 /** x.X.x: Minor version of the stack */
 #define LWIP_VERSION_MINOR      2
 /** x.x.X: Revision of the stack */
-#define LWIP_VERSION_REVISION   1
+#define LWIP_VERSION_REVISION   2
 /** For release candidates, this is set to 1..254
  * For official releases, this is set to 255 (LWIP_RC_RELEASE)
  * For development versions (Git), this is set to 0 (LWIP_RC_DEVELOPMENT) */
-#define LWIP_VERSION_RC         LWIP_RC_RELEASE
+#define LWIP_VERSION_RC         LWIP_RC_DEVELOPMENT

 /** LWIP_VERSION_RC is set to LWIP_RC_RELEASE for official releases */
 #define LWIP_RC_RELEASE         255
--- a/test/unit/ip6/test_ip6.c
+++ b/test/unit/ip6/test_ip6.c
@ -519,6 +519,7 @@ START_TEST(test_ip6_reass)
  test_ip6_reass_helper(130, t3, NUM_SEGS, 8);
  test_ip6_reass_helper(130, t4, NUM_SEGS, 1448);
 }
+END_TEST

 /** Create the suite including all tests for this module */
 Suite *
--- a/test/unit/tcp/test_tcp.c
+++ b/test/unit/tcp/test_tcp.c
@ -534,15 +534,13 @@ START_TEST(test_tcp_fast_retx_recover)
  EXPECT_RET(txcounters.num_tx_calls == 0);
  EXPECT_RET(txcounters.num_tx_bytes == 0);
  memset(&txcounters, 0, sizeof(txcounters));
+
+  do
  {
-    int i = 0;
-    do
-    {
-      err = tcp_write(pcb, data6, TCP_MSS, TCP_WRITE_FLAG_COPY);
-      i++;
-    }while(err == ERR_OK);
-    EXPECT_RET(err != ERR_OK);
-  }
+    err = tcp_write(pcb, data6, TCP_MSS, TCP_WRITE_FLAG_COPY);
+  }while(err == ERR_OK);
+  EXPECT_RET(err != ERR_OK);
+
  err = tcp_output(pcb);
  EXPECT_RET(err == ERR_OK);
  /*EXPECT_RET(txcounters.num_tx_calls == 0);
Author	SHA1	Message	Date
Sebastian Huber	4599f551de	dhcp: Clear flags Do not assume that mem_malloc() returns cleared memory.	2025-08-03 11:35:52 +02:00
Sergey Fionov	41a36098b3	tcp: Fix TCP timestamps for big-endian systems Current parsing code is building reverse-order integer, and then calls htonl() to assign right value to "ts_recent" field of pcb. This works correctly on little-endian machines, where htonl() reverses bytes. However, on big-endian machines, htonl() is no-op, so bytes stay reversed. This patch fixes it by building non-reversed integer.	2025-08-03 11:33:53 +02:00
David Cermak	e7ab7e0773	autoip: Choose next address after rate limit AutoIP now selects a new address after rate limit timeout, AutoIP tries a new address by incrementing the tried_llipaddr counter in the ACD_DECLINE case of the callback. In lwIP pre-2.2.0, address conflict detection was handled within autoip.c, and the incrementing happened in autoip_restart() (line 150). When ACD was extracted into a separate module in 2.2.0, this increment was missing for the rate-limiting path. Without this change, devices continuously retry the same IP address after rate limiting, causing them to fail Bonjour Conformance Tests.	2025-08-03 11:24:55 +02:00
Jerome Forissier	b1edb7780f	tftp: bind to TFTP port only when in server mode The TFTP app should not bind to the TFTP server port when configured as a client. Instead, the local port should be chosen from the dynamic range (49152 ~ 65535) so that if the application is stopped and started again, the remote server will not consider the new packets as part of the same context (which would cause an error since a new RRQ would be unexpected). Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>	2025-07-15 22:09:27 +02:00
Simon Goldschmidt	56b29f8bcf	ip4_frag/ip6_frag: fix potential NULL-pointer access on memory errors	2025-06-03 21:04:39 +02:00
Erik Ekman	92522e4538	codeql: Use ubuntu-latest instead of 20.04	2025-05-26 19:15:39 +02:00
Alexey Lapshin	571c46253f	src/core: fix gcc analyzer warning Make ip4_addr_isany check first to avoid warning: "check of 'ipaddr' for NULL after already dereferencing it [-Werror=analyzer-deref-before-check]"	2025-05-26 19:10:03 +02:00
Mike Kleshov	ca0395c5ae	Revert "Apply patch #10511 : remove code with no effect in httpd.c" This reverts commit f877b457a1bb759d48567326ec020be7e3a3d989.	2025-04-02 10:22:43 +03:00
MinghaoWang	31d8988f89	Apply patch #10358 : preserve dhcp memory type flag	2025-03-21 22:34:52 +03:00
Mike Kleshov	f877b457a1	Apply patch #10511 : remove code with no effect in httpd.c	2025-03-21 19:35:05 +03:00
Mike Kleshov	6c8874bf5d	Apply patch #10047 : HTTP11_CONNECTIONKEEPALIVE2 not needed any more	2025-03-21 19:25:31 +03:00
Oswin Bult	8459488006	Apply patch #10406 : simplify sign extension	2025-03-21 18:48:50 +03:00
Simon Goldschmidt	ffce5ab1c7	try to fix unit test compiling with clang	2025-03-03 21:45:32 +01:00
Jarno Malmari	e55896319b	Fix compilation with LWIP_DEBUG Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>	2025-02-24 21:52:41 +01:00
Matthias Dietrich	ba306bcdaa	Fix missing END_TEST in test_ip6_reass unit test Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>	2025-02-24 21:32:58 +01:00
Simon Goldschmidt	554e104095	next release will probably be 2.2.2	2025-02-06 08:34:57 +01:00