[lwip-devel] [bug #53696] Bug in MTU value validation (case: ND6_OPTION

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #53696] Bug in MTU value validation (case: ND6_OPTION_

From:	Arkadiusz Wróbel
Subject:	[lwip-devel] [bug #53696] Bug in MTU value validation (case: ND6_OPTION_TYPE_MTU)
Date:	Wed, 18 Apr 2018 22:02:29 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

URL:
  <http://savannah.nongnu.org/bugs/?53696>

                 Summary: Bug in MTU value validation  (case:
ND6_OPTION_TYPE_MTU)
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: catsuryuu
            Submitted on: Thu 19 Apr 2018 02:02:28 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

The problem occurs when mtu_opt->mtu is greater than 2^16.
Then 'lwip_htonl(mtu_opt->mtu) >= 1280' will give TRUE, but the value is later
casted to u16_t.

For example, for mtu_opt->mtu == 2^16 + 1 the inp->mtu value will be set to 1
and the server will start sending invalid IPv4 packets only.

What's more, an external host can set the MTU to 20.
Then, if an Echo Request (IPv4) comes, the server will fall into an infinite
loop, flooding the sender with empty IPv4 packets.

I think doing the validation AFTER casting to u16_t should do the job.
[Related with: nd6.c:690]



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Thu 19 Apr 2018 02:02:28 AM UTC  Name: set_mtu_to_1.bin  Size: 78B   By:
catsuryuu
These are raw bytes dumps.
<http://savannah.nongnu.org/bugs/download.php?file_id=43971>
-------------------------------------------------------
Date: Thu 19 Apr 2018 02:02:28 AM UTC  Name: set_mtu_to_20.bin  Size: 78B  
By: catsuryuu
These are raw bytes dumps.
<http://savannah.nongnu.org/bugs/download.php?file_id=43972>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?53696>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #53696] Bug in MTU value validation (case: ND6_OPTION_TYPE_MTU), Arkadiusz Wróbel <=
- [lwip-devel] [bug #53696] Bug in MTU value validation (case: ND6_OPTION_TYPE_MTU), Simon Goldschmidt, 2018/04/19

Prev by Date: [lwip-devel] [bug #53574] DHCP issue when LWIP_DHCP_BOOTP_FILE is set
Next by Date: [lwip-devel] [bug #53696] Bug in MTU value validation (case: ND6_OPTION_TYPE_MTU)
Previous by thread: [lwip-devel] [bug #52554] LWIP_NETCONN_FULLDUPLEX: closing fails to end 'recv' calls correctly
Next by thread: [lwip-devel] [bug #53696] Bug in MTU value validation (case: ND6_OPTION_TYPE_MTU)
Index(es):
- Date
- Thread