[lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_REC

From:	Przemyslaw Bejtan
Subject:	[lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c (lwip-1.4.1)
Date:	Tue, 26 Aug 2014 17:06:12 +0000
User-agent:	Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0

URL:
  <http://savannah.nongnu.org/bugs/?43081>

                 Summary: The crash error for the  active LWIP_NETBUF_RECVINFO
option in api_msg.c (lwip-1.4.1)
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: przemyslawbejtan
            Submitted on: Tue 26 Aug 2014 05:06:11 PM GMT
                Category: Network drivers
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.4.1

    _______________________________________________________

Details:

The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c
(lwip-1.4.1).

Last time, I worked with the lwIP stack and I have found a critical bug when
the LWIP_NETBUF_RECVINFO option is active. 

In the module “api_msg.c”, line number 184 we have:

const struct udp_hdr* udphdr = (void*)(((char*)iphdr) + IPH_LEN(iphdr));

The problem is that, the macro "IPH_LEN()" is without the Big/Little Endian
control. For the Big Endian processor architecture it doesn’t pose a threat.
For the Little Endian architecture, it causes that "IPH_LEN(iphdr)" generates
incorrect value with bytes swapped inside the variable. With this wrong data,
the pointer "udp_hdr * udphdr" has incorrect address. 

I line 189 of the same module, we have:

buf->toport_chksum = udphdr->dest;

This statement causes that the program tries to fetch data from a random
memory address, what in worst case – when we refer to a forbidden part of
memory space – can cause a program crash.

In order to fix this bug, the line 184 has to be modified, like below:

const struct udp_hdr* udphdr = (void*)(((char*)iphdr) +
ntohs(IPH_LEN(iphdr)));

Best regards,
Przemyslaw Bejtan.




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?43081>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c (lwip-1.4.1), Przemyslaw Bejtan <=
- [lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c (lwip-1.4.1), Joel Cunningham, 2014/08/26
  - [lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c (lwip-1.4.1), Przemyslaw Bejtan, 2014/08/27
    - [lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c (lwip-1.4.1), Przemyslaw Bejtan, 2014/08/27
    - [lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c (lwip-1.4.1), Joel Cunningham, 2014/08/27
    - [lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c (lwip-1.4.1), Joel Cunningham, 2014/08/27

Prev by Date: [lwip-devel] LWIP port for RTEMS.
Next by Date: [lwip-devel] [bug #43028] IP_MULTICAST_TTL affects unicast datagrams
Previous by thread: [lwip-devel] LWIP port for RTEMS.
Next by thread: [lwip-devel] [bug #43081] The crash error for the active LWIP_NETBUF_RECVINFO option in api_msg.c (lwip-1.4.1)
Index(es):
- Date
- Thread