[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #59603] Use-after-free if tcp_process_refused_data() r
From: |
Tom Vajzovic |
Subject: |
[lwip-devel] [bug #59603] Use-after-free if tcp_process_refused_data() returns ERR_ABRT |
Date: |
Wed, 2 Dec 2020 15:37:25 -0500 (EST) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 |
URL:
<https://savannah.nongnu.org/bugs/?59603>
Summary: Use-after-free if tcp_process_refused_data() returns
ERR_ABRT
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: tcv
Submitted on: Wed 02 Dec 2020 08:37:24 PM UTC
Category: TCP
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: 2.1.1
_______________________________________________________
Details:
Hi,
I think I've found a use-after-free in tcp_input().
If tcp_process_refused_data() returns ERR_ABRT, then tcp_input() continues to
use the pcb (accessing pcb->refused_data, pcb->rcv_ann_wnd and calling
tcp_send_empty_ack()).
I think it needs to goto aborted directly.
I'm not sure if there might also be a memory leak: does tcv_input() need to
call tcp_abort() itself if the receive callback didn't return ERR_ABRT but
((pcb->refused_data != NULL) && (tcplen > 0)) is true? If not then maybe it
shouln't goto aborted in that case.
Thanks,
Tom
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?59603>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #59603] Use-after-free if tcp_process_refused_data() returns ERR_ABRT,
Tom Vajzovic <=