[lwip-devel] [bug #53212] UDP pbc list not initialized

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #53212] UDP pbc list not initialized

From:	Christopher Sund
Subject:	[lwip-devel] [bug #53212] UDP pbc list not initialized
Date:	Fri, 23 Feb 2018 20:09:36 -0500 (EST)
User-agent:	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

URL:
  <http://savannah.nongnu.org/bugs/?53212>

                 Summary: UDP pbc list not initialized
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: csunday95
            Submitted on: Sat 24 Feb 2018 01:09:35 AM UTC
                Category: UDP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: 2.0.3

    _______________________________________________________

Details:

In udp.c, the global list udp_pcbs is declared as

struct udp_pcb *udp_pcbs;

i.e. it is declared an not initialized. If program execution reaches a point
in which the udp_pcbs list is required without and udp_pcb element having been
added to the list, the random pointer value present in this uninitialized
variable is de-referenced (generally causing a crash/ unsafe and likely
unintended). This scenario happens if for instance 

1. the LwIP stack is set up with UDP support
2. the physical device driver receives a UDP packet and calls its input
function
3. this packet ends up being forwarded to udp_input()
4. the random pointer value is de-referenced within the code:
   ...
   for (pcb = udp_pcbs; pcb != NULL; pcb = pcb->next) {
   ...
   if ((pcb->local_port == dest) && 
       (udp_input_local_match(pcb, inp, broadcast) != 0)) {
   ...
 This code segment starts on udp.c:240 for the version of LwIP I'm using
(2.0.3)

This problem can be easily averted by instead defining and initialing udp_pcbs
with

struct udp_pcb *udp_pcbs = NULL;

within the global scope of udp.c







    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?53212>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #53212] UDP pbc list not initialized, Christopher Sund <=
- [lwip-devel] [bug #53212] UDP pbc list not initialized, Jan Breuer, 2018/02/24
  - [lwip-devel] [bug #53212] UDP pbc list not initialized, Simon Goldschmidt, 2018/02/24

Prev by Date: [lwip-devel] [patch #9554] Multicast filter and IGMPv3 support (MLDv2 for futrue) patch
Next by Date: [lwip-devel] lowpan6_ble.c build failure if LWIP_RFC7668_NUM_CONTEXTS==0
Previous by thread: [lwip-devel] [patch #9554] Multicast filter and IGMPv3 support (MLDv2 for futrue) patch
Next by thread: [lwip-devel] [bug #53212] UDP pbc list not initialized
Index(es):
- Date
- Thread