[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] Error in handling of TCP Options field

From: fabian . koch
Subject: [lwip-devel] Error in handling of TCP Options field
Date: Fri, 17 Oct 2008 12:13:22 +0200

Hello everyone,

we have discovered some potential errors in LwIP while putting our device to a series of security related stress/error/fuzz-testing on the Ethernet.
The Stack seems to crash when subjected to specifically crafted Packets where the actual TCP Options length does not match the length value that the packet says it will be.
(We are using a slightly modified version of LwIP 1.3.0-stable release)

Our security testingcenter has the following comment:

It is recommended to have a proper boundary checking (i.e., value in the fields to be
checked against the actual values of a particular field) while processing a received TCP
packet. <Device> should discard a packet with TCP Options Length field that does not match
the actual length of the TCP Options field. If this length does not match the actual value, the
packet should then be discarded. This should be fixed by the TCP/IP stack vendor.

I attach two screenshots of Wireshark to this mail. These show the crafted packets with their intentionally wrong TCP Options.
Please consider fixing this issue by doing correct boundary checking of the TCP header and its options field in tcp_input() in 1.3.1.

yours sincerely,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]