lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #22692] TCP: Header length not checked to be > 20

From: Jared Grubb
Subject: [lwip-devel] [bug #22692] TCP: Header length not checked to be > 20
Date: Mon, 24 Mar 2008 15:32:39 +0000
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 
Follow-up Comment #3, bug #22692 (project lwip):

The check Frederic mentions makes sure that there is room for a TCP header in
general, but there is no explicit check that the field holding header length
is valid (hdrlen must be >= 5). If hdrlen==0, for example, then the TCP header
itself will be passed to the application/next layer as data. 

Although I can't think of a way that this could be exploited, it is an error
in functionality -- and it's easy to fix :).

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?22692>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]