[bug #57375] Assertion "mss_local is too small" failed

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #57375] Assertion "mss_local is too small" failed

Ashley Duncan
URL:
  <https://savannah.nongnu.org/bugs/?57375>

                 Summary: Assertion "mss_local is too small" failed
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: vhertz
            Submitted on: Sat 07 Dec 2019 01:13:38 PM UTC
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: Other

    _______________________________________________________

Details:

Hi, all.

This is one of the assertion failures I found by fuzzing (to lwIP
ver2.1.0.RC1).
The following LWIP_ASSERT() at lwip/src/core/tcp_out.c:486 fails.


LWIP_ASSERT("mss_local is too small", mss_local >= last_unsent->len +
unsent_optlen);


As described in the assertion, too small MSS causes this failure.
Incomming packets can set MSS in the range of 0 < MSS < TCP_MSS.
At tcp_in.c:1943, pcb->mss is set as below without any other validation:


pcb->mss = ((mss > TCP_MSS) || (mss == 0)) ? TCP_MSS : mss;


You can reproduce this failure with 'crashed_inputs/004' attached to the
following message of lwip-devel:
https://lists.nongnu.org/archive/html/lwip-devel/2019-12/msg00013.html




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57375>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #57375] Assertion "mss_local is too small" failed

Ashley Duncan
Follow-up Comment #1, bug #57375 (project lwip):

I can reproduce this with the latest code by simulating the old rand
implementation:

$ cd test/fuzz
$ make all D="-DLWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC"
$ ./lwip_fuzz3 crashed_inputs/004
reading input from file... testing file: "crashed_inputs/004"...
Assertion "mss_local is too small" failed at line 486 in
../../src/core/tcp_out.c
Aborted (core dumped)


The relevant code was changed in fixing bug #25882, bug #36153 and bug #37184,
so any fix must be carefully designed.


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57375>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel