[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #43173] pppos_input() corrupts memory if IP_FORWARD is

From: Ivan Delamer
Subject: [lwip-devel] [bug #43173] pppos_input() corrupts memory if IP_FORWARD is enabled
Date: Mon, 08 Sep 2014 17:16:09 +0000
User-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0


                 Summary: pppos_input() corrupts memory if IP_FORWARD is
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: idelamer
            Submitted on: Mon 08 Sep 2014 11:16:08 AM MDT
                Category: PPP
                Severity: 4 - Important
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 1.5.0
            lwIP version: git head



This was introduced in commit 4283ecf7748ccf7ab41fc09b7d6d4acb1f7f4444

If IP forward is enabled, a PBUF_POOL with PBUF_LINK offset is allocated.

In my setup, this is a 256-byte buffer with 16-byte offset.

But the code still writes until len == 256, which with 16-byte offset is out
of bounds. In pcrx->in_head this is off by 10 bytes (due to helper header
inserted) and the rest is off by 16.

It is also unnecessary to allocate PBUF_LINK offset for pbufs other than the
first one (pcrx->in_head ).

Won't Etharp or netif->output pre-pend an extra pbuf for link-layer headers?


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]