From 769b2a3e30d85371af228d2c303a9d9e16fb8cfa Mon Sep 17 00:00:00 2001
From: Simon Goldschmidt <goldsimon@gmx.de>
Date: Fri, 11 Jan 2013 21:59:26 +0100
Subject: [PATCH] fixed bug #38066 Raw pcbs can alter packet without eating it:
 added assertion to check that p->payload is unchanged

---
 CHANGELOG      | 3 +++
 src/core/raw.c | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index 6ad6d37b..01ccaf7e 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -80,6 +80,9 @@ HISTORY
 
  ++ Bugfixes:
 
+  2013-01-11: Simon Goldschmidt
+  * raw.c: fixed bug #38066 Raw pcbs can alter packet without eating it
+
   2012-09-26: Simon Goldschmidt
   * api_msg.c: fixed bug #37405 'err_tcp()' uses already freed 'netconn' object
 
diff --git a/src/core/raw.c b/src/core/raw.c
index 6f50848c..68b23c61 100644
--- a/src/core/raw.c
+++ b/src/core/raw.c
@@ -119,6 +119,9 @@ raw_input(struct pbuf *p, struct netif *inp)
       {
         /* receive callback function available? */
         if (pcb->recv.ip4 != NULL) {
+#ifndef LWIP_NOASSERT
+          void* old_payload = p->payload;
+#endif
           /* the receive callback function did not eat the packet? */
           eaten = pcb->recv.ip4(pcb->recv_arg, pcb, p, ip_current_src_addr());
           if (eaten != 0) {
@@ -132,6 +135,10 @@ raw_input(struct pbuf *p, struct netif *inp)
               pcb->next = raw_pcbs;
               raw_pcbs = pcb;
             }
+          } else {
+            /* sanity-check that the receive callback did not alter the pbuf */
+            LWIP_ASSERT("raw pcb recv callback altered pbuf payload pointer without eating packet",
+              p->payload == old_payload);
           }
         }
         /* no receive callback function was set for this raw PCB */
-- 
2.39.2