[lwip-devel] [bug #59468] null pointer dereference of lwip function ip

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #59468] null pointer dereference of lwip function ip_r

From:	Wenqiang Li
Subject:	[lwip-devel] [bug #59468] null pointer dereference of lwip function ip_reass_free_complete_datagram
Date:	Mon, 16 Nov 2020 19:47:54 -0500 (EST)
User-agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36

URL:
  <https://savannah.nongnu.org/bugs/?59468>

                 Summary: null pointer dereference of lwip function
ip_reass_free_complete_datagram
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: silentdawn
            Submitted on: Tue 17 Nov 2020 12:47:52 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

The lwip function ip_reass_free_complete_datagram() is used to free a datagram
(struct ip_reassdata) and all its pbufs. It's called by the function
ip_reass_tmr() timely or the function ip_reass_remove_oldest_datagram() to
clear oldest datagram.

When trying to build struct ip_reass_helper *iprh, then function
ip_reass_free_complete_datagram() dereference the pointer ipr->p->payload as
below. 
https://github.com/STMicroelectronics/STM32CubeH7/blob/beced99ac090fece04d1e0eb6648b8075e156c6c/Middlewares/Third_Party/LwIP/src/core/ipv4/ip4_frag.c#L178.

However, it doesn't check if ipr->p is a null pointer and there is a chance it
could be. This will lead to a null pointer dereference bug. 

It could be reproduced by the attached file as a pcap package.

To patch it, the function ip_reass_free_complete_datagram should check if
ipr->p is null firstly.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 17 Nov 2020 12:47:52 AM UTC  Name: testcase0.txt  Size: 4KiB   By:
silentdawn

<http://savannah.nongnu.org/bugs/download.php?file_id=50288>

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?59468>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #59468] null pointer dereference of lwip function ip_reass_free_complete_datagram, Wenqiang Li <=

Prev by Date: [lwip-devel] [bug #59349] TCP Memory Issues
Next by Date: [lwip-devel] [bug #59492] mDNS: mdns_handle_questions holds core lock for excessive amount of time
Previous by thread: [lwip-devel] [bug #59349] TCP Memory Issues
Next by thread: [lwip-devel] [bug #59492] mDNS: mdns_handle_questions holds core lock for excessive amount of time
Index(es):
- Date
- Thread