[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow
|
From: |
Wouter van Gulik |
|
Subject: |
[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow |
|
Date: |
Wed, 22 Dec 2021 10:17:57 -0500 (EST) |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 |
Follow-up Comment #1, bug #61480 (project lwip):
Can you please elaborate on how the overflow actually happens?
If everything is in one pbuf the following code will limit the size to only
what is available in the pbuf, which will cause a "zero-copy" by
_pbuf_get_contiguous_ . And no overflow will happen.
/* Adjust cpy_len to ensure zero-copy operation for remaining parts of current
message */
if (client->msg_idx >= MQTT_VAR_HEADER_BUFFER_LEN) {
if (cpy_len > (p->len - in_offset))
cpy_len = p->len - in_offset;
}
The overflow will only happen if the pbuf is actually a chain of pbufs.
The 'p->len - in_offset' could underflow; in_offset is counted against
p->tot_len. So only if multiple pbufs are used this check will underflow and
cause the _pbuf_get_contiguous_ call to make a write beyond the rx_buffer.
I am not familiar with internals of lwip to know when a pbuf queue is actually
created for TCP RX. So perhaps this is always the case?
The 'p->len - in_offset' is just wrong. _p_ is never updated and is always the
first _p_, regardless of the current in_offset.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?61480>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow,
Wouter van Gulik <=