[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #43173] pppos_input() corrupts memory if IP_FORWARD is
From: |
Ivan Delamer |
Subject: |
[lwip-devel] [bug #43173] pppos_input() corrupts memory if IP_FORWARD is enabled |
Date: |
Mon, 08 Sep 2014 17:16:09 +0000 |
User-agent: |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 |
URL:
<http://savannah.nongnu.org/bugs/?43173>
Summary: pppos_input() corrupts memory if IP_FORWARD is
enabled
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: idelamer
Submitted on: Mon 08 Sep 2014 11:16:08 AM MDT
Category: PPP
Severity: 4 - Important
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: 1.5.0
lwIP version: git head
_______________________________________________________
Details:
This was introduced in commit 4283ecf7748ccf7ab41fc09b7d6d4acb1f7f4444
If IP forward is enabled, a PBUF_POOL with PBUF_LINK offset is allocated.
In my setup, this is a 256-byte buffer with 16-byte offset.
But the code still writes until len == 256, which with 16-byte offset is out
of bounds. In pcrx->in_head this is off by 10 bytes (due to helper header
inserted) and the rest is off by 16.
It is also unnecessary to allocate PBUF_LINK offset for pbufs other than the
first one (pcrx->in_head ).
Won't Etharp or netif->output pre-pend an extra pbuf for link-layer headers?
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?43173>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #43173] pppos_input() corrupts memory if IP_FORWARD is enabled,
Ivan Delamer <=