[lwip-devel] [bug #46128] Possible to trigger LWIP_ASSERT by received SNMP messages

[Kerem Hadimli]

URL:
  <http://savannah.nongnu.org/bugs/?46128>

                 Summary: Possible to trigger LWIP_ASSERT by received SNMP
messages
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: keremhadimli
            Submitted on: Mon 05 Oct 2015 09:31:19 AM GMT
                Category: Security-related
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.4.1

    _______________________________________________________

Details:

I noticed the following behavior on 1.4.1, but also I see that the code is
same in git master.


When an SNMP request is received, snmp_recv() is called. snmp_recv() calls
snmp_pdu_dec_varbindlist() for incoming SNMP variables.

For strings, snmp_pdu_dec_varbindlist() might assert itself:

1. LWIP_ASSERT("invalid length", len <= 0xff);

afterwards it calls snmp_varbind_alloc().


snmp_varbind_alloc() checks for:

2. If OID size is larger than the configured max OID size:
LWIP_ASSERT("SNMP_MAX_TREE_DEPTH is configured too low", i <=
SNMP_MAX_TREE_DEPTH);

3. If variable size (string len) is larger than the configured max variable
size:

LWIP_ASSERT("SNMP_MAX_OCTET_STRING_LEN is configured too low", vb->value_len
<= SNMP_MAX_VALUE_SIZE);


Probably the idea is, if these functions are used for outgoing messages,
developer should know about the wrong configuration. But it is possible to use
either of these 3 assert locations to cause an assert on a LwIP device
remotely.





    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?46128>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/