[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [patch #10328] Fix crash in altcp_tcp_setup_callbacks, foun
From: |
J. Neuschäfer |
Subject: |
[lwip-devel] [patch #10328] Fix crash in altcp_tcp_setup_callbacks, found with fuzzing |
Date: |
Fri, 7 Apr 2023 09:23:11 -0400 (EDT) |
URL:
<https://savannah.nongnu.org/patch/?10328>
Summary: Fix crash in altcp_tcp_setup_callbacks, found with
fuzzing
Group: lwIP - A Lightweight TCP/IP stack
Submitter: jne
Submitted: Fri 07 Apr 2023 01:23:09 PM UTC
Category: None
Priority: 7 - High
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Fri 07 Apr 2023 01:23:09 PM UTC By: J. Neuschäfer <jne>
I found a crash bug in the altcp code.
Reproducer (in bash):
base64 -d <<<
"H4sIAP/9L2QCA+3WoQ2AMBSE4QoCTFHBBJfgSRF4RDfpRmgmYBpGQRBCk4ZiSfk/+fJMK+5dZRVpzSQzSs6oPierDV4y87WxLQLwE42SfNCdDyHJB9/xZwAARPbMJbUq4JJmu4JVT1cAAACfbGIqoqcMzy90eu+aBw2+N28WFgAA"
| gunzip | test/fuzz/lwip_fuzz2
Crash log:
../../src/core/altcp_tcp.c:178:13: runtime error: member access within
null pointer of type 'struct tcp_pcb'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
../../src/core/altcp_tcp.c:178:13 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==192415==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048
(pc 0x557065081703 bp 0x0aae0cb71204 sp 0
x7ffd034dabc0 T0)
==192415==The signal is caused by a READ memory access.
==192415==Hint: address points to the zero page.
#0 0x557065081703 in altcp_tcp_setup_callbacks
/.../lwip/test/fuzz/../../src/core/altcp_tcp.c:178:19
#1 0x55706508206f in altcp_tcp_setup
/.../lwip/test/fuzz/../../src/core/altcp_tcp.c:189:3
#2 0x55706508206f in altcp_tcp_accept
/.../lwip/test/fuzz/../../src/core/altcp_tcp.c:84:5
#3 0x557065095592 in tcp_input
/.../lwip/test/fuzz/../../src/core/tcp_in.c:380:9
#4 0x5570650e752f in ip4_input
/.../lwip/test/fuzz/../../src/core/ipv4/ip4.c:743:9
#5 0x55706513d4de in ethernet_input
/.../lwip/test/fuzz/../../src/netif/ethernet.c:186:9
#6 0x557064fe0959 in input_pkt
/.../lwip/test/fuzz/fuzz_common.c:209:9
...skipping...
#3 0x557065095592 in tcp_input
/.../lwip/test/fuzz/../../src/core/tcp_in.c:380:9
#4 0x5570650e752f in ip4_input
/.../lwip/test/fuzz/../../src/core/ipv4/ip4.c:743:9
#5 0x55706513d4de in ethernet_input
/.../lwip/test/fuzz/../../src/netif/ethernet.c:186:9
#6 0x557064fe0959 in input_pkt
/.../lwip/test/fuzz/fuzz_common.c:209:9
#7 0x557064fdeb6a in input_pkts
/.../lwip/test/fuzz/fuzz_common.c:257:9
#8 0x557064fdeb6a in lwip_fuzztest
/.../lwip/test/fuzz/fuzz_common.c:669:3
#9 0x7ff4f578e189 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x7ff4f578e244 in __libc_start_main csu/../csu/libc-start.c:381:3
#11 0x557064f20420 in _start (/.../lwip/test/fuzz/lwip_fuzz2+0x81420)
(BuildId: 8680a96430d5749c90111fe9c3a3d4f881a5dbcd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/.../lwip/test/fuzz/../../src/core/altcp_tcp.c:178:19 in
altcp_tcp_setup_callbacks
==192415==ABORTING
Aborted
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 07 Apr 2023 01:23:09 PM UTC Name:
0001-altcp-Fix-NULL-pointer-dereference-found-by-fuzzing.patch Size: 3KiB
By: jne
<http://savannah.nongnu.org/patch/download.php?file_id=54579>
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/patch/?10328>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [lwip-devel] [patch #10328] Fix crash in altcp_tcp_setup_callbacks, found with fuzzing,
J. Neuschäfer <=