lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #22692] TCP: Header length not checked to be > 20


From: Jared Grubb
Subject: [lwip-devel] [bug #22692] TCP: Header length not checked to be > 20
Date: Sat, 22 Mar 2008 14:55:23 +0000
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.12pre) Gecko/20080118 Camino/1.6b2 (like Firefox/2.0.0.12pre)

URL:
  <http://savannah.nongnu.org/bugs/?22692>

                 Summary: TCP: Header length not checked to be > 20
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: jgrubb
            Submitted on: Saturday 03/22/2008 at 07:55
                Category: TCP
                Severity: 6 - Security
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 

    _______________________________________________________

Details:

hdrlen = TCPH_HDRLEN(tcphdr);
if(pbuf_header(p, -(hdrlen * 4))){
...
}

There should be a check to make sure that hdrlen >= 5 (ie 20 bytes). The code
currently checks whether the hdrlen given will overrun the whole packet, but
does not verify that the value is a valid TCP header length.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?22692>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/





reply via email to

[Prev in Thread] Current Thread [Next in Thread]