[bug #58553] Memory disclosure for icmp6 in git master branch

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #58553] Memory disclosure for icmp6 in git master branch

Ashley Duncan
URL:
  <https://savannah.nongnu.org/bugs/?58553>

                 Summary: Memory disclosure for icmp6 in git master branch
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: silentdawn
            Submitted on: Fri 12 Jun 2020 05:22:10 PM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Type:
Buffer overflow

Description:
his bug is related to bug #58552. We have observed the changes made to the
same place in the master branch. However, the bug still exists. The function
pbuf_take_at() replaces the function SMEMCPY() in the master branch. However,
it is still vulnerable.
The function pbuf_take_at() tries to copy fields from the original packet as
shown in line 409 of icmp6.c. The parameter len of the function pbuf_take_at()
is the length of another parameter dataptr. However, the function
icmp6_send_response_with_addrs_and_netif() passes the parameters p->payload
and p->tot_len to the function pbuf_take_at(), which are the total length of
the p->payload plus all payloads length of its following pbuf . If p->tot_len
is larger than the length of p->payload, the memory will leak to remote
attackers through the network. To fix this, the datalen should be p->len, not
p->tot_len.

       
385
static void icmp6_send_response_with_addrs_and_netif(struct pbuf *p, u8_t
code, u32_t data, u8_t type, const ip6_addr_t *reply_src, const ip6_addr_t
*reply_dest, struct netif *netif)
387
{

...
409
pbuf_take_at(q, p->payload, datalen, sizeof(struct icmp6_hdr));

...
423
}

Result:
Memory disclosure.





    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58553>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #58553] Memory disclosure for icmp6 in git master branch

Ashley Duncan
Follow-up Comment #1, bug #58553 (project lwip):

I have reproduced this in a unit test and will try fixing it.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58553>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #58553] Memory disclosure for icmp6 in git master branch

Ashley Duncan
Update of bug #58553 (project lwip):

                  Status:                    None => Fixed                  
             Assigned to:                    None => yarrick                
             Open/Closed:                    Open => Closed                

    _______________________________________________________

Follow-up Comment #2:

Fixed in
https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=489405839ae0fea8b99c4896f632eb688dc8a19a

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58553>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #58553] Memory disclosure for icmp6 in git master branch

Ashley Duncan
Follow-up Comment #3, bug #58553 (project lwip):

Oops, it still copied the full datalen each time.

Fixed in
https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=488d4ad2460c3b41bef69724cad89c28a905eda9

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58553>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel