[bug #57526] Fix the dns entries pcb_idx range

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #57526] Fix the dns entries pcb_idx range

Simon Goldschmidt
URL:
  <https://savannah.nongnu.org/bugs/?57526>

                 Summary: Fix the dns entries pcb_idx range
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: tomcat_84
            Submitted on: Fri 03 Jan 2020 11:44:52 AM UTC
                Category: DNS
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: 2.1.1

    _______________________________________________________

Details:

in dns_send(), when

#if ((LWIP_DNS_SECURE & LWIP_DNS_SECURE_RAND_SRC_PORT) != 0)

condition is met, pcb_idx is taken from the dns_table entry.

This pcb_idx probably can be equal to DNS_TABLE_SIZE, being set so elsewhere.
It is not tested inside dns_send(). It can cause table reading out of range.




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57526>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #57526] Fix the dns entries pcb_idx range

Simon Goldschmidt
Update of bug #57526 (project lwip):

                  Status:                    None => Invalid                
             Assigned to:                    None => goldsimon              
             Open/Closed:                    Open => Closed                

    _______________________________________________________

Follow-up Comment #1:

I take it this is from reading the code only. Let me explain:
- dns_send() is called for DNS_STATE_NEW and DNS_STATE_ASKING only
- pcb_idx is set to DNS_MAX_SOURCE_PORTS only when the table entry is set to
DNS_STATE_UNUSED

Being like that, this cannot happen. I'll add an assert anyway, but no, it
currently cannot cause table reading out of range.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57526>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #57526] Fix the dns entries pcb_idx range

Simon Goldschmidt
Follow-up Comment #2, bug #57526 (project lwip):

Silly me, mixed up the versions.

The behavior was observed in test project, but the version used there was
2.0.0.RC1. :)

A line "entry->state = DNS_STATE_DONE" was missing there, which caused
dns_check_entry() to call dns_send() with illegal entry->pcb_idx. This was
already fixed in 2.0.0.RC2 .

Sorry for inconvenience.

Best regards,

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?57526>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel