lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] lwip buffer overruns identified by Coverity


From: Joseph Dunne
Subject: [lwip-devel] lwip buffer overruns identified by Coverity
Date: Tue, 6 Sep 2022 17:07:37 +0000

Hello,

I've used Coverity to scan the LWIP library and there are a couple of issues that Coverity has found that I'm not sure how to handle.  Have any of you seen this issue before?

Issue 1 (CID 327382 for my reference):
Out-of-bounds read
The issue is detected in lwip/src/netif/ppp/vj.c in function vj_compress_tcp().  

Line #292 is this which contains the offending buffer overrun (note that csu_ip is a #define alias for cs_ip):
      || (deltaS > 5 && BCMP(ip + 1, &cs->cs_ip + 1, (deltaS - 5) << 2))

Covrity claims Out-of-bounds read (OVERRUN)
overrun-local: Overrunning array of 20 bytes at byte offset 20 by dereferencing pointer &cs->vjcs_u.csu_ip + 1


I've found the same file has been refactored significantly and renamed from vj.c to slhc.c in the linux source code.  I believe the corresponding line is line 350
from the following link.  It looks like they just removed the +1 offset on the cs_ip pointer dereference, but with all the other refactoring, I don't think I can use that as-is.

Coresponding updated source code ("substantially rewritten to use NOS facilities"):


Issue 2 (CID 406766):
Out-of-bounds access
The issue is detected in lwip/src/core/ipv4/dhcp.c in function dhcp_inform().

Line #392 sets up the index options_out_len, which coverity claims "The value of options_out_len is now at least 69":
options_out_len = dhcp_option_short(options_out_len, msg_out->options, DHCP_MAX_MSG_LEN(netif));

Line #843 is this, which contains the buffer overrun:
dhcp_option_trailer(options_out_len, msg_out->options, p_out);

Coverity claims Out of bounds array access (OVERRUN)
overrun-buffer-arg: Overrunning array msg_out->options of 68 bytes by passing it to a function which accesses it at byte offset 69 using argument options_out_len (which evaluates to 69)

Details of the containing function point to this line which actually performs the offending buffer access in function dhcp_option_trailer():
options[options_out_len++] = DHCP_OPTION_END;



reply via email to

[Prev in Thread] Current Thread [Next in Thread]