[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow

From: Wouter van Gulik
Subject: [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow
Date: Wed, 22 Dec 2021 10:17:57 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0

Follow-up Comment #1, bug #61480 (project lwip):

Can you please elaborate on how the overflow actually happens?

If everything is in one pbuf the following code will limit the size to only
what is available in the pbuf, which will cause a "zero-copy" by
_pbuf_get_contiguous_ . And no overflow will happen.

/* Adjust cpy_len to ensure zero-copy operation for remaining parts of current
message */
if (client->msg_idx >= MQTT_VAR_HEADER_BUFFER_LEN) {
  if (cpy_len > (p->len - in_offset))
    cpy_len = p->len - in_offset;

The overflow will only happen if the pbuf is actually a chain of pbufs.

The 'p->len - in_offset' could underflow; in_offset is counted against
p->tot_len. So only if multiple pbufs are used this check will underflow and
cause the _pbuf_get_contiguous_ call to make a write beyond the rx_buffer.

I am not familiar with internals of lwip to know when a pbuf queue is actually
created for TCP RX. So perhaps this is always the case?

The 'p->len - in_offset' is just wrong. _p_ is never updated and is always the
first _p_, regardless of the current in_offset.


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]