[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #53705] Buffer overflow in low_level_output in tapif.c

From: Arkadiusz Wróbel
Subject: [lwip-devel] [bug #53705] Buffer overflow in low_level_output in tapif.c (port for Unix)
Date: Fri, 20 Apr 2018 10:58:05 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

Follow-up Comment #2, bug #53705 (project lwip):

> Could you please tell me how to reproduce ...
You have to send a big Echo Request for ICMPv6 :)

I worked on 'echop' (compiled with LWIP_IPV6 and IPV6_FRAG_COPYHEADER). I left
LWIP_IPV6_FRAG disabled.

I wanted to just use:
ping6 -I tap0 fe80::12:34ff:fe56:78ab -s 2000
but I have a problem with Neighbor Solicitation on tap0.
Should the server (echop) ask about ff02::1:ff40:5060 ?
I think it should be just ff02::1 (then everything works).
If I'm right I can make another submit with more details.

Anyway, I also attached a pcap file with my bug report.
There are three packets inside:
- two fragments of Echo Request for ICMPv6
- Neighbor Advertisement for the fake host (10:20:30:40:50:60)
I triggered the bug with them.


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]