[lwip-devel] Error in handling of TCP Options field

[fabian . koch]

Hello everyone,

we have discovered some potential errors
in LwIP while putting our device to a series of security related stress/error/fuzz-testing
on the Ethernet.
The Stack seems to crash when subjected
to specifically crafted Packets where the actual TCP Options length does
not match the length value that the packet says it will be.
(We are using a slightly modified version
of LwIP 1.3.0-stable release)

Our security testingcenter has the following
comment:

It is recommended to have a proper boundary
checking (i.e., value in the fields to be
checked against the actual values of
a particular field) while processing a received TCP
packet. <Device> should discard
a packet with TCP Options
Length field that does not match
the actual length of the TCP
Options field. If this length
does not match the actual value, the
packet should then be discarded. This
should be fixed by the TCP/IP stack vendor.

I attach two screenshots of Wireshark
to this mail. These show the crafted packets with their intentionally wrong
TCP Options.
Please consider fixing this issue by
doing correct boundary checking of the TCP header and its options field
in tcp_input() in 1.3.1.

yours sincerely,
Fabian