Summary: Assertion "mss_local is too small" failed
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: vhertz
Submitted on: Sat 07 Dec 2019 01:13:38 PM UTC
Severity: 3 - Normal
Item Group: Crash Error
Assigned to: None
Discussion Lock: Any
Planned Release: None
lwIP version: Other
This is one of the assertion failures I found by fuzzing (to lwIP
The following LWIP_ASSERT() at lwip/src/core/tcp_out.c:486 fails.
LWIP_ASSERT("mss_local is too small", mss_local >= last_unsent->len +
As described in the assertion, too small MSS causes this failure.
Incomming packets can set MSS in the range of 0 < MSS < TCP_MSS.
At tcp_in.c:1943, pcb->mss is set as below without any other validation:
[bug #57375] Assertion "mss_local is too small" failed
Follow-up Comment #1, bug #57375 (project lwip):
I can reproduce this with the latest code by simulating the old rand
$ cd test/fuzz
$ make all D="-DLWIP_RAND_FOR_FUZZ_SIMULATE_GLIBC"
$ ./lwip_fuzz3 crashed_inputs/004
reading input from file... testing file: "crashed_inputs/004"...
Assertion "mss_local is too small" failed at line 486 in
Aborted (core dumped)
The relevant code was changed in fixing bug #25882, bug #36153 and bug #37184,
so any fix must be carefully designed.