[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #53705] Buffer overflow in low_level_output in tapif.c
From: |
Arkadiusz Wróbel |
Subject: |
[lwip-devel] [bug #53705] Buffer overflow in low_level_output in tapif.c (port for Unix) |
Date: |
Fri, 20 Apr 2018 10:58:05 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 |
Follow-up Comment #2, bug #53705 (project lwip):
> Could you please tell me how to reproduce ...
You have to send a big Echo Request for ICMPv6 :)
I worked on 'echop' (compiled with LWIP_IPV6 and IPV6_FRAG_COPYHEADER). I left
LWIP_IPV6_FRAG disabled.
I wanted to just use:
ping6 -I tap0 fe80::12:34ff:fe56:78ab -s 2000
but I have a problem with Neighbor Solicitation on tap0.
Should the server (echop) ask about ff02::1:ff40:5060 ?
I think it should be just ff02::1 (then everything works).
If I'm right I can make another submit with more details.
Anyway, I also attached a pcap file with my bug report.
There are three packets inside:
- two fragments of Echo Request for ICMPv6
- Neighbor Advertisement for the fake host (10:20:30:40:50:60)
I triggered the bug with them.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?53705>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/