[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #24596] Vulnerability on faulty TCP options length

From: Simon Goldschmidt
Subject: [lwip-devel] [bug #24596] Vulnerability on faulty TCP options length
Date: Sat, 18 Oct 2008 15:24:17 +0000
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: Gecko/2008070208 Firefox/3.0.1

Update of bug #24596 (project lwip):

                  Status:                    None => Ready For Test         
             Assigned to:                    None => goldsimon              


Follow-up Comment #1:

The solution for this is really simple: the variable indexing the options was
an u8_t. Adding an option-length of nearly 0xff lead to that u8_t overflowing
which is why tcp_parseopt looped endlessly.

However, in contrast to the suggestion to drop this packet, I decided to stay
with ignoring further options if such a malformed packet is received: it's
what we did until now. After all, the only option we can handle is MSS...

Thanks for the submitting this, Fabian.
Checked in the fix.


Reply to this item at:


  Nachricht geschickt von/durch Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]