[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #23947] ip_reass_chain_frag_into_datagram_and_validate
|
From: |
Huang Po Sung |
|
Subject: |
[lwip-devel] [bug #23947] ip_reass_chain_frag_into_datagram_and_validate() wrongly cast to incompatible pointer |
|
Date: |
Mon, 28 Jul 2008 09:53:28 +0000 |
|
User-agent: |
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) |
URL:
<http://savannah.nongnu.org/bugs/?23947>
Summary: ip_reass_chain_frag_into_datagram_and_validate()
wrongly cast to incompatible pointer
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: geminicat
Submitted on: Monday 07/28/08 at 09:53
Category: IPv4
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
lwIP version: 1.3.0
_______________________________________________________
Details:
There is a serious bug in ip_reass_chain_frag_into_datagram_and_validate() of
ip_frag.c. Just few lines after the function start:
.
.
.
1. iprh = (struct ip_reass_helper*)new_p->payload;
2. iprh->next_pbuf = NULL;
3. iprh->start = offset;
4. iprh->end = offset + len;
The "new_p->payload" is a pointer to the actual IP frame data. How can you
just cast it into (struct ip_reass_helper *) as line 1 shows, and write
unmactch structure value into it, as line 2~4 show?
Whenever there is a reassemble needs, these codes will destroy the real IP
data and cause system malfunction or even crash.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?23947>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #23947] ip_reass_chain_frag_into_datagram_and_validate() wrongly cast to incompatible pointer,
Huang Po Sung <=