[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #58553] Memory disclosure for icmp6 in git master bran
From: |
Wenqiang Li |
Subject: |
[lwip-devel] [bug #58553] Memory disclosure for icmp6 in git master branch |
Date: |
Fri, 12 Jun 2020 13:22:12 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36 |
URL:
<https://savannah.nongnu.org/bugs/?58553>
Summary: Memory disclosure for icmp6 in git master branch
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: silentdawn
Submitted on: Fri 12 Jun 2020 05:22:10 PM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
Type:
Buffer overflow
Description:
his bug is related to bug #58552. We have observed the changes made to the
same place in the master branch. However, the bug still exists. The function
pbuf_take_at() replaces the function SMEMCPY() in the master branch. However,
it is still vulnerable.
The function pbuf_take_at() tries to copy fields from the original packet as
shown in line 409 of icmp6.c. The parameter len of the function pbuf_take_at()
is the length of another parameter dataptr. However, the function
icmp6_send_response_with_addrs_and_netif() passes the parameters p->payload
and p->tot_len to the function pbuf_take_at(), which are the total length of
the p->payload plus all payloads length of its following pbuf . If p->tot_len
is larger than the length of p->payload, the memory will leak to remote
attackers through the network. To fix this, the datalen should be p->len, not
p->tot_len.
385
static void icmp6_send_response_with_addrs_and_netif(struct pbuf *p, u8_t
code, u32_t data, u8_t type, const ip6_addr_t *reply_src, const ip6_addr_t
*reply_dest, struct netif *netif)
387
{
...
409
pbuf_take_at(q, p->payload, datalen, sizeof(struct icmp6_hdr));
...
423
}
Result:
Memory disclosure.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?58553>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [lwip-devel] [bug #58553] Memory disclosure for icmp6 in git master branch,
Wenqiang Li <=