[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow

From:	Wouter van Gulik
Subject:	[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow
Date:	Thu, 30 Dec 2021 17:31:45 -0500 (EST)
User-agent:	Mozilla/5.0 (Android 10; Mobile; rv:95.0) Gecko/95.0 Firefox/95.0

Follow-up Comment #4, bug #61480 (project lwip):

I have written some fixes, but I keep battling corner cases.
I do not get why a large initial packet should still be limited to the client
rxbuf?
Is not better to first try maximum from current pbuf? Let's say you receive
200 bytes, then it will be split and processed in 127 and then the
remainder?.
And does reassembly within the first 127 bytes really help? It will only help
on pbuf borders. Does that really occur?
I imagine it a mqtt message is usually within a single pbuf.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?61480>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow, Wouter van Gulik, 2021/12/22
- [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow, Wouter van Gulik, 2021/12/27
  - [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow, Wouter van Gulik, 2021/12/27
    - [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow, Wouter van Gulik <=

Prev by Date: [lwip-devel] [patch #10132] fix pbuf->len calculation error in type PBUF_POOL
Previous by thread: [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow
Next by thread: [lwip-devel] Missing SHTML support in makefsdata
Index(es):
- Date
- Thread