[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #58554] Memory disclosure in the 6LoWPAN implementatio
From: |
Wenqiang Li |
Subject: |
[lwip-devel] [bug #58554] Memory disclosure in the 6LoWPAN implementation |
Date: |
Fri, 12 Jun 2020 13:24:23 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36 |
URL:
<https://savannah.nongnu.org/bugs/?58554>
Summary: Memory disclosure in the 6LoWPAN implementation
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: silentdawn
Submitted on: Fri 12 Jun 2020 05:24:21 PM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
Type:
Buffer overflow
Description:
This bug is similar to bug #58553. The function zepif_linkoutput() tries to
parse an 6LoWPAN TX packet as UDP broadcast. When it calls the function
pbuf_take_at() as shown in line 204 of zepif.c, the same incorrectly used
parameters are passed as the Bug 2. In particular, the p->tot_len is the total
length of the p->payload and all payloads length of its following pbuf. If
p->tot_len is larger than the length of p->payload, the memory will leak to
remote attackers through the network. To send the whole packet, it should use
a loop to traverse the list of p->next and send all the payloads with length
p->tot_len.
168
zepif_linkoutput(struct netif *netif, struct pbuf *p){
...
204
err = pbuf_take_at(q, p->payload, p->tot_len, sizeof(struct zep_hdr));
...
214
}
Result:
Memory disclosure.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?58554>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #58554] Memory disclosure in the 6LoWPAN implementation,
Wenqiang Li <=