[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #50231] nd6: several option size related issues in Rou
From: |
David van Moolenbroek |
Subject: |
[lwip-devel] [bug #50231] nd6: several option size related issues in Router Advertisement message processing |
Date: |
Sun, 5 Feb 2017 13:20:22 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 |
URL:
<http://savannah.nongnu.org/bugs/?50231>
Summary: nd6: several option size related issues in Router
Advertisement message processing
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: dcvmoole
Submitted on: Sun 05 Feb 2017 01:20:20 PM GMT
Category: IPv6
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
The ND6 code that processes ICMP6_TYPE_RA messages has several problems, some
with a high potential of making lwIP access buffers beyond their end:
1) nd6_ra_buffer is declared with size sizeof(prefix_option) whereas since the
addition of RNDSS support, prefix_option may no longer be the largest option;
2) the RA processing's pbuf_copy_partial() call uses sizeof(prefix_option)
rather than sizeof(nd6_ra_buffer), introducing additional risks of size
mismatches even if point #1 is fixed;
3) the RA processing's pbuf_copy_partial() should not fail in that case that
the last option is not as large as the largest option;
4) if the next option is contained within the first pbuf (ie the
non-pbuf_copy_partial case), the *location* of buffer[1] may still be beyond
the packet end;
5) there is no check to see whether the option's size in the packet (i.e., the
*value* of buffer[1]) is fully contained within the buffer; note that this can
only be done after checking #4;
6) none of the individual options have proper checks to see if the option's
structure size matches the option's size in the packet before accessing
structure fields; note that this check is not a replacement for #5.
(I apologize for not being able to afford the time to work on a patch for this
myself, but in my implementation I have other reasons to patch out RA message
processing altogether anyway..)
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?50231>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #50231] nd6: several option size related issues in Router Advertisement message processing,
David van Moolenbroek <=