[bug #55706] LWIP_ASSERT in tcp_receive fails

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #55706] LWIP_ASSERT in tcp_receive fails

Ashley Duncan
URL:
  <https://savannah.nongnu.org/bugs/?55706>

                 Summary: LWIP_ASSERT in tcp_receive fails
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: vhertz
            Submitted on: Wed 13 Feb 2019 09:02:35 AM UTC
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Hi, all.

I found a testcase fails in LWIP_ASSERT in tcp_receive().
(by fuzzing with AFL)

The LWIP_ASSERT is at tcp_in.c:1532 in lwIP v2.1.2.

This if-block includes the LWIP_ASSERT.


/* --- code snippet start  --- */

if (next &&
    TCP_SEQ_GT(seqno + tcplen,
               next->tcphdr->seqno)) {

  inseg.len = (u16_t)(next->tcphdr->seqno - seqno);
  if (TCPH_FLAGS(inseg.tcphdr) & TCP_SYN) {
    inseg.len -= 1;
  }
  pbuf_realloc(inseg.p, inseg.len);
  tcplen = TCP_TCPLEN(&inseg);

  /* fails this assertion */
  LWIP_ASSERT("tcp_receive: segment not trimmed correctly to ooseq queue\n",
              (seqno + tcplen) == next->tcphdr->seqno);
}

/* --- code snippet end --- */


In the testcase, arguments of assertion were as below.


seqno               : 0x93d897e7
tcplen              : 0xffff

next->tcphdr->seqno : 0x93d897e6


and, the value of tcplen before the block was 0x0001.

inseg.len is assigned to tcplen.
(next->tcphdr->seqno - seqno) is assigned to inseg.len.

In this case, the value of (next->tcphdr->seqno - seqno) is 0xffffffff.
So, this value is out of range of u16_t.

I think, we need to add some other validation checks.




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?55706>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #55706] LWIP_ASSERT in tcp_receive fails

Ashley Duncan
Follow-up Comment #1, bug #55706 (project lwip):

I believe this is triggered by the input 002 from
https://lists.nongnu.org/archive/html/lwip-devel/2019-12/msg00013.html

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?55706>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel