lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #53747] Bug in NetBIOS NS


From: Arkadiusz Wróbel
Subject: [lwip-devel] [bug #53747] Bug in NetBIOS NS
Date: Wed, 25 Apr 2018 02:23:04 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

URL:
  <http://savannah.nongnu.org/bugs/?53747>

                 Summary: Bug in NetBIOS NS
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: catsuryuu
            Submitted on: Wed 25 Apr 2018 06:23:02 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

The packet's size should be verified before casting to 'struct netbios_hdr
*'.
Similarly with 'struct netbios_name_hdr *'.

I think p->tot_len should be at least 50 to work properly.

If an external host send a query with length equal to 48, two uninitialized
bytes from heap will be send back to it (in 'cls' field).
I attached an example of the data leak in 'example_leak.pcapng' (0x4242 leaked
from the previous packet).
I worked on 'echop' with 'echop_run_NBNS.patch'. The patch is only to trigger
the bug.

[Related with: lwip/src/apps/netbiosns/netbiosns.c:343-344]



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 25 Apr 2018 06:23:02 AM UTC  Name: echop_run_NBNS.patch  Size: 579B 
 By: catsuryuu
The patch is only to trigger the bug.
<http://savannah.nongnu.org/bugs/download.php?file_id=44018>
-------------------------------------------------------
Date: Wed 25 Apr 2018 06:23:02 AM UTC  Name: example_leak.pcapng  Size: 680B  
By: catsuryuu
The patch is only to trigger the bug.
<http://savannah.nongnu.org/bugs/download.php?file_id=44019>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?53747>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]