[bug #59468] null pointer dereference of lwip function ip_reass_free_complete_datagram

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[bug #59468] null pointer dereference of lwip function ip_reass_free_complete_datagram

yuanjianmin
URL:
  <https://savannah.nongnu.org/bugs/?59468>

                 Summary: null pointer dereference of lwip function
ip_reass_free_complete_datagram
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: silentdawn
            Submitted on: Tue 17 Nov 2020 12:47:52 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

The lwip function ip_reass_free_complete_datagram() is used to free a datagram
(struct ip_reassdata) and all its pbufs. It's called by the function
ip_reass_tmr() timely or the function ip_reass_remove_oldest_datagram() to
clear oldest datagram.

When trying to build struct ip_reass_helper *iprh, then function
ip_reass_free_complete_datagram() dereference the pointer ipr->p->payload as
below.
https://github.com/STMicroelectronics/STM32CubeH7/blob/beced99ac090fece04d1e0eb6648b8075e156c6c/Middlewares/Third_Party/LwIP/src/core/ipv4/ip4_frag.c#L178.

However, it doesn't check if ipr->p is a null pointer and there is a chance it
could be. This will lead to a null pointer dereference bug.

It could be reproduced by the attached file as a pcap package.

To patch it, the function ip_reass_free_complete_datagram should check if
ipr->p is null firstly.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 17 Nov 2020 12:47:52 AM UTC  Name: testcase0.txt  Size: 4KiB   By:
silentdawn

<http://savannah.nongnu.org/bugs/download.php?file_id=50288>

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?59468>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel