[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #22692] TCP: Header length not checked to be > 20
From: |
Jared Grubb |
Subject: |
[lwip-devel] [bug #22692] TCP: Header length not checked to be > 20 |
Date: |
Sat, 22 Mar 2008 14:55:23 +0000 |
User-agent: |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.12pre) Gecko/20080118 Camino/1.6b2 (like Firefox/2.0.0.12pre) |
URL:
<http://savannah.nongnu.org/bugs/?22692>
Summary: TCP: Header length not checked to be > 20
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: jgrubb
Submitted on: Saturday 03/22/2008 at 07:55
Category: TCP
Severity: 6 - Security
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
_______________________________________________________
Details:
hdrlen = TCPH_HDRLEN(tcphdr);
if(pbuf_header(p, -(hdrlen * 4))){
...
}
There should be a check to make sure that hdrlen >= 5 (ie 20 bytes). The code
currently checks whether the hdrlen given will overrun the whole packet, but
does not verify that the value is a valid TCP header length.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?22692>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #22692] TCP: Header length not checked to be > 20,
Jared Grubb <=