[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #59468] null pointer dereference of lwip function ip_r

From: Wenqiang Li
Subject: [lwip-devel] [bug #59468] null pointer dereference of lwip function ip_reass_free_complete_datagram
Date: Mon, 16 Nov 2020 19:47:54 -0500 (EST)
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36


                 Summary: null pointer dereference of lwip function
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: silentdawn
            Submitted on: Tue 17 Nov 2020 12:47:52 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head



The lwip function ip_reass_free_complete_datagram() is used to free a datagram
(struct ip_reassdata) and all its pbufs. It's called by the function
ip_reass_tmr() timely or the function ip_reass_remove_oldest_datagram() to
clear oldest datagram.

When trying to build struct ip_reass_helper *iprh, then function
ip_reass_free_complete_datagram() dereference the pointer ipr->p->payload as

However, it doesn't check if ipr->p is a null pointer and there is a chance it
could be. This will lead to a null pointer dereference bug. 

It could be reproduced by the attached file as a pcap package.

To patch it, the function ip_reass_free_complete_datagram should check if
ipr->p is null firstly.


File Attachments:

Date: Tue 17 Nov 2020 12:47:52 AM UTC  Name: testcase0.txt  Size: 4KiB   By:



Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]