lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #37705] Possible memory corruption in DNS query


From: Florent Matignon
Subject: [lwip-devel] [bug #37705] Possible memory corruption in DNS query
Date: Fri, 09 Nov 2012 18:15:49 +0000
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0

URL:
  <http://savannah.nongnu.org/bugs/?37705>

                 Summary: Possible memory corruption in DNS query
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: fmatignon
            Submitted on: ven. 09 nov. 2012 18:15:48 GMT
                Category: None
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.3.1

    _______________________________________________________

Details:

Hi,

There is a possible memory corruption when sending a DNS question (in dns_send
function):

When building the packet, hostname is converted from string (passed as "name"
parameter) to DNS format and DNS_MAX_NAME_LENGTH bytes are allocated in pbuf
for this.

Hostname string may be up to DNS_MAX_NAME_LENGTH characters (final '\\0'
included, according to strlen check in dns_gethostbyname and buffer allocation
in dns_table_entry structure).

If the given hostname is exactly of the maximum allowed length, the hostname
final '\\0' in packet is overwritten by DNS query type leading to packet
corruption.

I'm using lwIP 1.3.2, but this issue seems to be still present on CSV head.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?37705>

_______________________________________________
  Message posté via/par Savannah
  http://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]