Skip to content

Fix os_mbuf_dup() mixed-pool overflow & add robust selftests #3509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 15, 2025
Merged

Fix os_mbuf_dup() mixed-pool overflow & add robust selftests #3509

merged 2 commits into from
Oct 15, 2025

Conversation

@szymon-czapracki
Copy link
Contributor

@szymon-czapracki szymon-czapracki commented Oct 9, 2025

This PR fixes a bug in os_mbuf_dup() that could corrupt memory when duplicating an mbuf chain built from multiple pools of different payload sizes. The previous implementation assumed all segments could be duplicated from the head segment’s pool. When a later segment was larger than the head’s payload size, the memcpy() could write past the destination buffer.

The fix itself is based on apache/mynewt-nimble#2118

@szymon-czapracki
kernel/os_mbuf: Handle buffer copy across mbuf pools
c74fbe2 
Funciton os_mbuf_dup() can overflow on mixed-pool mbuf chains.
It assumes all mbufs match the first pool’s size and memcpy()s
larger segments past the destination.
Make duplication pool-aware.
@github-actions github-actions bot added the size/m label Oct 9, 2025
@szymon-czapracki szymon-czapracki marked this pull request as draft October 9, 2025 20:07
@szymon-czapracki szymon-czapracki force-pushed the mbuf_dup_fix branch 2 times, most recently from 8d0ca6f to 25649d4 Compare October 10, 2025 11:11
@szymon-czapracki szymon-czapracki marked this pull request as ready for review October 10, 2025 11:18
@szymon-czapracki szymon-czapracki force-pushed the mbuf_dup_fix branch 3 times, most recently from d5f2b8e to 1fe7c96 Compare October 10, 2025 13:44
@szymon-czapracki
kernel/os/test: Add mixed-pool mbuf dup test
d4315fa 
Adds a test that duplicates a small and large mbuf chain.
verifies the second segment comes from the correct pool.
Checks lengths/payloads, and uses inner/outer guards to catch
memcpy overruns—exposing “all-from-head” bug.
@sjanc sjanc merged commit 3845269 into apache:master Oct 15, 2025
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjanc sjanc sjanc approved these changes

@kasjer kasjer kasjer approved these changes

Assignees

No one assigned

Labels

size/m

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@szymon-czapracki @sjanc @kasjer