[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #58552] Memory disclosure for icmp6
From: |
Wenqiang Li |
Subject: |
[lwip-devel] [bug #58552] Memory disclosure for icmp6 |
Date: |
Fri, 12 Jun 2020 13:20:17 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36 |
URL:
<https://savannah.nongnu.org/bugs/?58552>
Summary: Memory disclosure for icmp6
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: silentdawn
Submitted on: Fri 12 Jun 2020 05:20:15 PM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: 2.1.1
_______________________________________________________
Details:
This bug still exists in the latest version 2.1.2.
Type:
Buffer overflow
Description:
The function icmp6_send_response_with_addrs_and_netif() tries to parse an
ICMPv6 packet and send it out. Inside it, the function SMEMCPY() as shown in
line 408 of icmp6.c tries to copy a buffer pointed to by p->payload with
length (IP6_HLEN + LWIP_ICMP6_DATASIZE). However, this buffer may be smaller
than (IP6_HLEN + LWIP_ICMP6_DATASIZE). If this happens, it will cause a memory
leakage. To fix this, the length should be compared with p->len.
385
static void icmp6_send_response_with_addrs_and_netif(struct pbuf *p, u8_t
code, u32_t data, u8_t type, const ip6_addr_t *reply_src, const ip6_addr_t
*reply_dest, struct netif *netif){
...
408
SMEMCPY((u8_t *)q->payload + sizeof(struct icmp6_hdr), (u8_t *)p->payload,
IP6_HLEN + LWIP_ICMP6_DATASIZE);
..
423
}
Result:
Memory disclosure
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?58552>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [lwip-devel] [bug #58552] Memory disclosure for icmp6,
Wenqiang Li <=