[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #37705] Possible memory corruption in DNS query
From: |
Florent Matignon |
Subject: |
[lwip-devel] [bug #37705] Possible memory corruption in DNS query |
Date: |
Fri, 09 Nov 2012 18:15:49 +0000 |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0 |
URL:
<http://savannah.nongnu.org/bugs/?37705>
Summary: Possible memory corruption in DNS query
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: fmatignon
Submitted on: ven. 09 nov. 2012 18:15:48 GMT
Category: None
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: 1.3.1
_______________________________________________________
Details:
Hi,
There is a possible memory corruption when sending a DNS question (in dns_send
function):
When building the packet, hostname is converted from string (passed as "name"
parameter) to DNS format and DNS_MAX_NAME_LENGTH bytes are allocated in pbuf
for this.
Hostname string may be up to DNS_MAX_NAME_LENGTH characters (final '\\0'
included, according to strlen check in dns_gethostbyname and buffer allocation
in dns_table_entry structure).
If the given hostname is exactly of the maximum allowed length, the hostname
final '\\0' in packet is overwritten by DNS query type leading to packet
corruption.
I'm using lwIP 1.3.2, but this issue seems to be still present on CSV head.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?37705>
_______________________________________________
Message posté via/par Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #37705] Possible memory corruption in DNS query,
Florent Matignon <=