[bug #58554] Memory disclosure in the 6LoWPAN implementation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #58554] Memory disclosure in the 6LoWPAN implementation

Ashley Duncan
URL:
  <https://savannah.nongnu.org/bugs/?58554>

                 Summary: Memory disclosure in the 6LoWPAN implementation
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: silentdawn
            Submitted on: Fri 12 Jun 2020 05:24:21 PM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Type:
Buffer overflow

Description:
This bug is similar to bug #58553. The function zepif_linkoutput() tries to
parse an 6LoWPAN TX packet as UDP broadcast. When it calls the function
pbuf_take_at() as shown in line 204 of zepif.c, the same incorrectly used
parameters are passed as the Bug 2. In particular, the p->tot_len is the total
length of the p->payload and all payloads length of its following pbuf. If
p->tot_len is larger than the length of p->payload, the memory will leak to
remote attackers through the network. To send the whole packet, it should use
a loop to traverse the list of p->next and send all the payloads with length
p->tot_len.
       
168
zepif_linkoutput(struct netif *netif, struct pbuf *p){

...
204
err = pbuf_take_at(q, p->payload, p->tot_len, sizeof(struct zep_hdr));

...
214
}

Result:
Memory disclosure.





    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58554>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #58554] Memory disclosure in the 6LoWPAN implementation

Ashley Duncan
Update of bug #58554 (project lwip):

                  Status:                    None => Fixed                  
             Assigned to:                    None => yarrick                
             Open/Closed:                    Open => Closed                

    _______________________________________________________

Follow-up Comment #1:

Fixed in
https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=8363c24e45a32728e385cfc2c3c36d88a8a9e70b

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58554>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel