[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-users] [lwip] ip_input bug
From: |
Tim Newsham |
Subject: |
[lwip-users] [lwip] ip_input bug |
Date: |
Wed, 08 Jan 2003 23:37:08 -0000 |
Some code from ip_input. There's lots wrong with this:
/* If a DHCP packet has arrived on the interface, we pass it up the
stack regardless of destination IP address. The reason is that
DHCP replies are sent to the IP adress that will be given to this
node (as recommended by RFC 1542 section 3.1.1, referred by RFC
2131). */
if(IPH_PROTO(iphdr) == IP_PROTO_UDP &&
((struct udp_hdr *)((u8_t *)iphdr + IPH_HL(iphdr) * 4/sizeof(u8_t)))->src =
=
DHCP_SERVER_PORT) {
netif = inp;
}
1) accessing the pbuf improperly (is there a requirement that
ip_input is called with a pbuf with only 1 buffer on it?
It looks like all of ip_input access p->payload directly
without checking if there are other buffers in the chain)
2) no length check. If there's a short udp header, this
will access undefined parts of memory
3) no fragment check. If this is not the first fragment,
its meaningless to look past the IP header w/o reassembly.
seems like a bad way to hack in support for dhcp.
Tim N.
[This message was sent through the lwip discussion list.]
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-users] [lwip] ip_input bug,
Tim Newsham <=