FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

memory allocation bug in LWIP mem.c?

MS.9
Associate III

‎2024-04-13 03:28 AM - last edited on ‎2024-04-22 05:52 AM by

As far as I can tell, there is a bug in mem_init() in mem.c this can cause a memory overrun and hard fault (if you're lucky)

In lwipopts.h I set

LWIP_RAM_HEAP_POINTER = 0x30004000

MEM_SIZE 0x4000

I would expect the pool to be from 0x30004000 to 0x30007FFF

however mem_init() has this code

ram_end = ptr_to_mem(MEM_SIZE_ALIGNED);
ram_end->used = 1;
ram_end->next = MEM_SIZE_ALIGNED;
ram_end->prev = MEM_SIZE_ALIGNED;

 

ram_end is set to 0x30008000 and the instruction 'ram_end->used = 1' writes beyond the allocated memory, and in my case outside the memory_segment and hard faults. If the pool is elsewhere it'll overwite the next address outside the pool - eek.

 

using STM32Cube_FW_H7_V1.11.2

path to file

STM32Cube_FW_H7_V1.11.2\Middlewares\Third_Party\LwIP\src\core\mem.c

but same code in F4, and others I guess.

Labels:
4 REPLIES 4
ASEHST
ST Employee

‎2024-04-23 01:14 AM

Hello @MS.9,

When you set the end of memory to 0x30007FFF, and ram_end is initialized to 0x30008000, it poses a problem because ram_end now points to an address that is potentially outside the allocated or reserved memory for LwIP. If the code tries to write to this address (for example, by setting ram_end->used = 1), it could write outside the allocated memory for the LwIP heap, which could cause a hardware fault if this address is not valid in the microcontroller's address space.

Could you please try to ensure ram_end points within the allocated memory range, just before the end, with this instruction: struct mem *ram_end = (struct mem *)((u8_t *)ram + MEM_SIZE - SIZEOF_STRUCT_MEM);?

This ensures that writing ram_end->used = 1 does not exceed the allocated memory limit.

 

With Regards,

 

If your question is answered, please close this topic by clicking "Accept as Solution".
0 Kudos
ASEHST
ST Employee

‎2024-04-29 06:08 AM

Hello @MS.9,

Any update regarding this thread?

With Regards,

If your question is answered, please close this topic by clicking "Accept as Solution".
0 Kudos
MS.9
Associate III
In response to ASEHST

‎2024-05-03 06:34 AM

Hi,

So yes, your solution will work (and this is similar to my fix) , but since mem.c is a ST supplied library, the bug need to be reported to your dev team.

Everybody using this library will enconter this issue.

thanks

Mark

 

ASEHST
ST Employee
In response to MS.9

‎2024-05-16 08:59 AM

Hello @MS.9 ,

It is essential to set the heap size correctly to avoid memory overflow, which can cause operational errors. In lwipopts.h, #define MEM_SIZE 0x4000 allocates 16 KB for the LwIP heap, tailored to the RAM boundaries of our STM32F7 Nucleo and Discovery microcontrollers, ranging from 0x30000000 to 0x30003FFF. Each heap memory block is managed by a struct mem, necessitating additional memory.

Allocating MEM_SIZE without considering SIZEOF_STRUCT_MEM results in dedicating all memory to user data, with no provision for memory management. This leads to an overflow when LwIP attempts to write to struct mem at the end of the heap.

To maintain system integrity, MEM_SIZE should be adjusted as follows:

#define MEM_SIZE 16*1024 - SIZEOF_STRUCT_MEM

Subtracting SIZEOF_STRUCT_MEM ensures we allocate space for the memory management structure, thus preventing overflow and potential system failure.

Therefore, this issue stems from a memory configuration oversight rather than an ST bug.

 

With Regards

If your question is answered, please close this topic by clicking "Accept as Solution".
0 Kudos
Top