[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #51447] Sequence number comparisons invoke implementat
|
From: |
Hiromasa ITO |
|
Subject: |
[lwip-devel] [bug #51447] Sequence number comparisons invoke implementation-defined behavior |
|
Date: |
Mon, 28 Jan 2019 21:27:46 -0500 (EST) |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 |
Follow-up Comment #11, bug #51447 (project lwip):
I found some testcases caused a crash by this bug in fuzzing with AFL.
(I used experimental multi-packet fuzzing and some additional seeds made by
myself.)
It happened in tcp_recieve()...(around tcp_in.c:1429 in lwIP v2.1.2)
/* --- code snippet start --- */
if (TCP_SEQ_BETWEEN(pcb->rcv_nxt, seqno + 1, seqno + tcplen - 1)) {
u32_t off32 = pcb->rcv_nxt - seqno;
/* This assertion failed and crashed. */
LWIP_ASSERT("insane offset!", (off32 < 0xffff));
[...]
}
/* --- code snippet end --- */
In one testcase caused a crash, arguments of TCP_SEQ_BETWEEN were as below.
seqno + 1 : 0x13d897cb
seqno + tcplen - 1 : 0x13d897ca
pcb->rcv_nxt : 0x93d897ca
In this case, TCP_SEQ_BETWEEN should return FALSE, but actually, returned TRUE
because ((pcb->rcv_nxt) - (seqno + tcplen - 1)) >= 2^31.
Then, off32 was greater than 0xffff, so LWIP_ASSERT failed and crashed.
I think, this result shows that this bug is not just "theoretical" but
"practical".
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?51447>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/