[bug #58552] Memory disclosure for icmp6

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #58552] Memory disclosure for icmp6

Ashley Duncan
URL:
  <https://savannah.nongnu.org/bugs/?58552>

                 Summary: Memory disclosure for icmp6
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: silentdawn
            Submitted on: Fri 12 Jun 2020 05:20:15 PM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: 2.1.1

    _______________________________________________________

Details:

This bug still exists in the latest version 2.1.2.

Type:
Buffer overflow

Description:
The function icmp6_send_response_with_addrs_and_netif() tries to parse an
ICMPv6 packet and send it out. Inside it, the function SMEMCPY() as shown in
line 408 of icmp6.c tries to copy a buffer pointed to by p->payload with
length (IP6_HLEN + LWIP_ICMP6_DATASIZE). However, this buffer may be smaller
than (IP6_HLEN + LWIP_ICMP6_DATASIZE). If this happens, it will cause a memory
leakage. To fix this, the length should be compared with p->len.


385
static void icmp6_send_response_with_addrs_and_netif(struct pbuf *p, u8_t
code, u32_t data, u8_t type, const ip6_addr_t *reply_src, const ip6_addr_t
*reply_dest, struct netif *netif){

...
408
SMEMCPY((u8_t *)q->payload + sizeof(struct icmp6_hdr), (u8_t *)p->payload,
IP6_HLEN + LWIP_ICMP6_DATASIZE);

..
423
}

Result:
Memory disclosure





    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58552>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #58552] Memory disclosure for icmp6

Ashley Duncan
Follow-up Comment #1, bug #58552 (project lwip):

The code was changed while solving bug #56013:
http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=d843e47a1d65451bd7f7aaa5017b408bd108be88

Do you still think it can happen?


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58552>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #58552] Memory disclosure for icmp6

Ashley Duncan
Follow-up Comment #2, bug #58552 (project lwip):

[comment #1 comment #1:]
> The code was changed while solving bug #56013:
>
http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=d843e47a1d65451bd7f7aaa5017b408bd108be88
>
> Do you still think it can happen?
>

[comment #1 comment #1:]
> The code was changed while solving bug #56013:
>
http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=d843e47a1d65451bd7f7aaa5017b408bd108be88
>
> Do you still think it can happen?
>

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58552>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel