[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #53747] Bug in NetBIOS NS
From: |
Arkadiusz Wróbel |
Subject: |
[lwip-devel] [bug #53747] Bug in NetBIOS NS |
Date: |
Wed, 25 Apr 2018 02:23:04 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 |
URL:
<http://savannah.nongnu.org/bugs/?53747>
Summary: Bug in NetBIOS NS
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: catsuryuu
Submitted on: Wed 25 Apr 2018 06:23:02 AM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
The packet's size should be verified before casting to 'struct netbios_hdr
*'.
Similarly with 'struct netbios_name_hdr *'.
I think p->tot_len should be at least 50 to work properly.
If an external host send a query with length equal to 48, two uninitialized
bytes from heap will be send back to it (in 'cls' field).
I attached an example of the data leak in 'example_leak.pcapng' (0x4242 leaked
from the previous packet).
I worked on 'echop' with 'echop_run_NBNS.patch'. The patch is only to trigger
the bug.
[Related with: lwip/src/apps/netbiosns/netbiosns.c:343-344]
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 25 Apr 2018 06:23:02 AM UTC Name: echop_run_NBNS.patch Size: 579B
By: catsuryuu
The patch is only to trigger the bug.
<http://savannah.nongnu.org/bugs/download.php?file_id=44018>
-------------------------------------------------------
Date: Wed 25 Apr 2018 06:23:02 AM UTC Name: example_leak.pcapng Size: 680B
By: catsuryuu
The patch is only to trigger the bug.
<http://savannah.nongnu.org/bugs/download.php?file_id=44019>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?53747>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #53747] Bug in NetBIOS NS,
Arkadiusz Wróbel <=