[lwip-devel] [bug #55706] LWIP_ASSERT in tcp

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #55706] LWIP_ASSERT in tcp_receive fails

From:	Hiromasa ITO
Subject:	[lwip-devel] [bug #55706] LWIP_ASSERT in tcp_receive fails
Date:	Wed, 13 Feb 2019 04:02:37 -0500 (EST)
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15

URL:
  <https://savannah.nongnu.org/bugs/?55706>

                 Summary: LWIP_ASSERT in tcp_receive fails
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: vhertz
            Submitted on: Wed 13 Feb 2019 09:02:35 AM UTC
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Hi, all.

I found a testcase fails in LWIP_ASSERT in tcp_receive().
(by fuzzing with AFL)

The LWIP_ASSERT is at tcp_in.c:1532 in lwIP v2.1.2.

This if-block includes the LWIP_ASSERT.


/* --- code snippet start  --- */

if (next &&
    TCP_SEQ_GT(seqno + tcplen,
               next->tcphdr->seqno)) {

  inseg.len = (u16_t)(next->tcphdr->seqno - seqno);
  if (TCPH_FLAGS(inseg.tcphdr) & TCP_SYN) {
    inseg.len -= 1;
  }
  pbuf_realloc(inseg.p, inseg.len);
  tcplen = TCP_TCPLEN(&inseg);

  /* fails this assertion */
  LWIP_ASSERT("tcp_receive: segment not trimmed correctly to ooseq queue\n",
              (seqno + tcplen) == next->tcphdr->seqno);
}

/* --- code snippet end --- */


In the testcase, arguments of assertion were as below.


seqno               : 0x93d897e7
tcplen              : 0xffff 
next->tcphdr->seqno : 0x93d897e6 


and, the value of tcplen before the block was 0x0001.

inseg.len is assigned to tcplen.
(next->tcphdr->seqno - seqno) is assigned to inseg.len.

In this case, the value of (next->tcphdr->seqno - seqno) is 0xffffffff.
So, this value is out of range of u16_t.

I think, we need to add some other validation checks.




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?55706>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #55706] LWIP_ASSERT in tcp_receive fails, Hiromasa ITO <=

Prev by Date: [lwip-devel] [bug #55702] SSI bug
Next by Date: [lwip-devel] [bug #55380] dhcp_release_and_stop() clears the assigned IP address - v2.1.2
Previous by thread: [lwip-devel] [bug #55566] ppp_free() needs to accept phase PPP_PHASE_TERMINATE
Next by thread: [lwip-devel] [bug #55380] dhcp_release_and_stop() clears the assigned IP address - v2.1.2
Index(es):
- Date
- Thread