we found the LwIP stack (V1.3.2) to
be vulnerable to a classic TCP LAND attack. Meaning a crafted packet is
sent to the target running LwIP, where source and destination adress as
well as both ports are the same (IP of the target) and SYN flag is set.
So the host starts replying itself with SYN/ACK and interprets it's own
reply once again as an incoming SYN packet and continues to answer with
SYN ACK.
This should probably be avoided in ip_input()
or tcp_input() by checking for dest==source for address and port and then
discarding the packet.
If you guys agree, I could come up with a patch for 1.3.2 and ut it up
on savannah. We will not switch to 1.4.0 in the foreseeable future so I
won't bother adapting code to that version but I guess ip_input() won't
have huge changes?!