[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #43173] pppos_input() corrupts memory if IP_FORWARD is
[lwip-devel] [bug #43173] pppos_input() corrupts memory if IP_FORWARD is enabled
Mon, 08 Sep 2014 17:16:09 +0000
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Summary: pppos_input() corrupts memory if IP_FORWARD is
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: idelamer
Submitted on: Mon 08 Sep 2014 11:16:08 AM MDT
Severity: 4 - Important
Item Group: Crash Error
Assigned to: None
Discussion Lock: Any
Planned Release: 1.5.0
lwIP version: git head
This was introduced in commit 4283ecf7748ccf7ab41fc09b7d6d4acb1f7f4444
If IP forward is enabled, a PBUF_POOL with PBUF_LINK offset is allocated.
In my setup, this is a 256-byte buffer with 16-byte offset.
But the code still writes until len == 256, which with 16-byte offset is out
of bounds. In pcrx->in_head this is off by 10 bytes (due to helper header
inserted) and the rest is off by 16.
It is also unnecessary to allocate PBUF_LINK offset for pbufs other than the
first one (pcrx->in_head ).
Won't Etharp or netif->output pre-pend an extra pbuf for link-layer headers?
Reply to this item at:
Message sent via/by Savannah
- [lwip-devel] [bug #43173] pppos_input() corrupts memory if IP_FORWARD is enabled,
Ivan Delamer <=