[lwip-users] [lwip] ip

lwip-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-users] [lwip] ip_input bug

From:	Tim Newsham
Subject:	[lwip-users] [lwip] ip_input bug
Date:	Wed, 08 Jan 2003 23:37:08 -0000

Some code from ip_input.  There's lots wrong with this:

  /* If a DHCP packet has arrived on the interface, we pass it up the
     stack regardless of destination IP address. The reason is that
     DHCP replies are sent to the IP adress that will be given to this
     node (as recommended by RFC 1542 section 3.1.1, referred by RFC
     2131). */
  if(IPH_PROTO(iphdr) == IP_PROTO_UDP &&
     ((struct udp_hdr *)((u8_t *)iphdr + IPH_HL(iphdr) * 4/sizeof(u8_t)))->src =
=
     DHCP_SERVER_PORT) {
    netif = inp;
  } 


1) accessing the pbuf improperly (is there a requirement that
   ip_input is called with a pbuf with only 1 buffer on it?
   It looks like all of ip_input access p->payload directly
   without checking if there are other buffers in the chain)
2) no length check.  If there's a short udp header, this
   will access undefined parts of memory
3) no fragment check.  If this is not the first fragment,
   its meaningless to look past the IP header w/o reassembly.

seems like a bad way to hack in support for dhcp.

Tim N.

[This message was sent through the lwip discussion list.]

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-users] [lwip] ip_input bug, Tim Newsham <=

Prev by Date: [lwip-users] Re: [lwip] Some lwIP findings : ACKs and slow start
Next by Date: [lwip-users] [lwip] Forcing PBUF_POOL
Previous by thread: [lwip-users] [lwip] ARP
Next by thread: [lwip-users] [lwip] Forcing PBUF_POOL
Index(es):
- Date
- Thread