|
| From: | Arkadiusz Wróbel |
| Subject: | [lwip-devel] [bug #53705] Buffer overflow in low_level_output in tapif.c (port for Unix) |
| Date: | Thu, 19 Apr 2018 23:29:56 -0400 (EDT) |
| User-agent: | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 |
URL:
<http://savannah.nongnu.org/bugs/?53705>
Summary: Buffer overflow in low_level_output in tapif.c (port
for Unix)
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: catsuryuu
Submitted on: Fri 20 Apr 2018 03:29:55 AM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
'pbuf_copy_partial' should copy at most sizeof(buf) bytes.
Similarly with the following 'write'.
The bug is triggered when the server is trying to send too big Echo Reply for
ICMPv6.
[Related with: lwip-contrib/ports/unix/port/netif/tapif.c:237]
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 20 Apr 2018 03:29:55 AM UTC Name: ping6_2000.pcap Size: 2KiB By:
catsuryuu
Sending these three packets should trigger the bug (for 'echop' compiled with
IPv6)
<http://savannah.nongnu.org/bugs/download.php?file_id=43980>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?53705>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |