|
| From: | Joseph Dunne |
| Subject: | [lwip-devel] lwip buffer overruns identified by Coverity |
| Date: | Tue, 6 Sep 2022 17:07:37 +0000 |
|
Hello,
I've used Coverity to scan the LWIP library and there are a couple of issues that Coverity has found that I'm not sure how to handle. Have any of you seen this issue before?
Issue 1 (CID 327382 for my reference):
Out-of-bounds read
The issue is detected in lwip/src/netif/ppp/vj.c in function vj_compress_tcp().
Line #292 is this which contains the offending buffer overrun (note that csu_ip is a #define alias for cs_ip):
|| (deltaS > 5 && BCMP(ip + 1, &cs->cs_ip + 1, (deltaS - 5) << 2))
Covrity claims Out-of-bounds read (OVERRUN)
overrun-local: Overrunning array of 20 bytes at byte offset 20 by dereferencing pointer &cs->vjcs_u.csu_ip + 1
I've found the same file has been refactored significantly and renamed from vj.c to slhc.c in the linux source code. I believe the corresponding line is line 350
from the following link. It looks like they just removed the +1 offset on the cs_ip pointer dereference, but with all the other refactoring, I don't think I can use that as-is.
Coresponding updated source code ("substantially rewritten to use NOS facilities"):
Issue 2 (CID 406766):
Out-of-bounds access
The issue is detected in lwip/src/core/ipv4/dhcp.c in function dhcp_inform().
Line #392 sets up the index options_out_len, which coverity claims "The value of options_out_len is now at least 69":
options_out_len = dhcp_option_short(options_out_len, msg_out->options, DHCP_MAX_MSG_LEN(netif));
Line #843 is this, which contains the buffer overrun:
dhcp_option_trailer(options_out_len, msg_out->options, p_out);
Coverity claims Out of bounds array access (OVERRUN)
overrun-buffer-arg: Overrunning array msg_out->options of 68 bytes by passing it to a function which accesses it at byte offset 69 using argument options_out_len (which evaluates to 69)
Details of the containing function point to this line which actually performs the offending buffer access in function dhcp_option_trailer():
options[options_out_len++] = DHCP_OPTION_END;
|
| [Prev in Thread] | Current Thread | [Next in Thread] |