[lwip-devel] [bug #50231] nd6: several option size related issues in Rou

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #50231] nd6: several option size related issues in Rou

From:	David van Moolenbroek
Subject:	[lwip-devel] [bug #50231] nd6: several option size related issues in Router Advertisement message processing
Date:	Sun, 5 Feb 2017 13:20:22 +0000 (UTC)
User-agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0

URL:
  <http://savannah.nongnu.org/bugs/?50231>

                 Summary: nd6: several option size related issues in Router
Advertisement message processing
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: dcvmoole
            Submitted on: Sun 05 Feb 2017 01:20:20 PM GMT
                Category: IPv6
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

The ND6 code that processes ICMP6_TYPE_RA messages has several problems, some
with a high potential of making lwIP access buffers beyond their end:

1) nd6_ra_buffer is declared with size sizeof(prefix_option) whereas since the
addition of RNDSS support, prefix_option may no longer be the largest option;
2) the RA processing's pbuf_copy_partial() call uses sizeof(prefix_option)
rather than sizeof(nd6_ra_buffer), introducing additional risks of size
mismatches even if point #1 is fixed;
3) the RA processing's pbuf_copy_partial() should not fail in that case that
the last option is not as large as the largest option;
4) if the next option is contained within the first pbuf (ie the
non-pbuf_copy_partial case), the *location* of buffer[1] may still be beyond
the packet end;
5) there is no check to see whether the option's size in the packet (i.e., the
*value* of buffer[1]) is fully contained within the buffer; note that this can
only be done after checking #4;
6) none of the individual options have proper checks to see if the option's
structure size matches the option's size in the packet before accessing
structure fields; note that this check is not a replacement for #5.

(I apologize for not being able to afford the time to work on a patch for this
myself, but in my implementation I have other reasons to patch out RA message
processing altogether anyway..)




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?50231>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #50231] nd6: several option size related issues in Router Advertisement message processing, David van Moolenbroek <=
- [lwip-devel] [bug #50231] nd6: several option size related issues in Router Advertisement message processing, Simon Goldschmidt, 2017/02/17

Prev by Date: [lwip-devel] [patch #9250] ip6: fix source substitution in ip6_output_if()
Next by Date: [lwip-devel] [bug #50220] mld6_leavegroup does not send ICMP6_TYPE_MLD, even if last reporter
Previous by thread: [lwip-devel] [patch #9250] ip6: fix source substitution in ip6_output_if()
Next by thread: [lwip-devel] [bug #50231] nd6: several option size related issues in Router Advertisement message processing
Index(es):
- Date
- Thread