[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #59468] null pointer dereference of lwip function ip_r
From: |
Wenqiang Li |
Subject: |
[lwip-devel] [bug #59468] null pointer dereference of lwip function ip_reass_free_complete_datagram |
Date: |
Mon, 16 Nov 2020 19:47:54 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 |
URL:
<https://savannah.nongnu.org/bugs/?59468>
Summary: null pointer dereference of lwip function
ip_reass_free_complete_datagram
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: silentdawn
Submitted on: Tue 17 Nov 2020 12:47:52 AM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
The lwip function ip_reass_free_complete_datagram() is used to free a datagram
(struct ip_reassdata) and all its pbufs. It's called by the function
ip_reass_tmr() timely or the function ip_reass_remove_oldest_datagram() to
clear oldest datagram.
When trying to build struct ip_reass_helper *iprh, then function
ip_reass_free_complete_datagram() dereference the pointer ipr->p->payload as
below.
https://github.com/STMicroelectronics/STM32CubeH7/blob/beced99ac090fece04d1e0eb6648b8075e156c6c/Middlewares/Third_Party/LwIP/src/core/ipv4/ip4_frag.c#L178.
However, it doesn't check if ipr->p is a null pointer and there is a chance it
could be. This will lead to a null pointer dereference bug.
It could be reproduced by the attached file as a pcap package.
To patch it, the function ip_reass_free_complete_datagram should check if
ipr->p is null firstly.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Tue 17 Nov 2020 12:47:52 AM UTC Name: testcase0.txt Size: 4KiB By:
silentdawn
<http://savannah.nongnu.org/bugs/download.php?file_id=50288>
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?59468>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #59468] null pointer dereference of lwip function ip_reass_free_complete_datagram,
Wenqiang Li <=