[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [patch #10179] PPPoS: Fix null-deref when processing double
From: |
David Cermak |
Subject: |
[lwip-devel] [patch #10179] PPPoS: Fix null-deref when processing double break packet |
Date: |
Fri, 18 Feb 2022 12:33:50 -0500 (EST) |
URL:
<https://savannah.nongnu.org/patch/?10179>
Summary: PPPoS: Fix null-deref when processing double break
packet
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: david_cermak
Submitted on: Fri 18 Feb 2022 05:33:48 PM UTC
Category: PPP
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Details:
Hi,
When processing an input packet containing only zero's, the pppos state
machine assumes these are control fields, so doesn't allocate any pbuf for
data. So if the `PPP_FLAG` comes (start of another valid packet) in this state
and the `FCS` is valid (which is valid as long as only zero characters are
being received) we de-reference `pppos->in_tail` in pppos.c:544.
This is happening (~ frequently) on some devices which send break signal
during reconnection (see https://github.com/espressif/esp-idf/issues/8300)
This issue was reported some time ago as
https://github.com/espressif/esp-lwip/pull/24
(but didn't any conclusive evidence the issue is in lwip)
I'm attaching the original patch by @peter-pycom
Also, adding a unit test that exhibits this issue as a separate patch.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 18 Feb 2022 05:33:48 PM UTC Name: pppos-fix-in_tail-null.patch
Size: 1KiB By: david_cermak
<http://savannah.nongnu.org/patch/download.php?file_id=52881>
-------------------------------------------------------
Date: Fri 18 Feb 2022 05:33:48 PM UTC Name:
PPP-Add-test-exhibiting-empty-packet-null-deref.patch Size: 5KiB By:
david_cermak
<http://savannah.nongnu.org/patch/download.php?file_id=52882>
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/patch/?10179>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [patch #10179] PPPoS: Fix null-deref when processing double break packet,
David Cermak <=