[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #24596] Vulnerability on faulty TCP options length
|
From: |
Simon Goldschmidt |
|
Subject: |
[lwip-devel] [bug #24596] Vulnerability on faulty TCP options length |
|
Date: |
Sat, 18 Oct 2008 15:24:17 +0000 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 |
Update of bug #24596 (project lwip):
Status: None => Ready For Test
Assigned to: None => goldsimon
_______________________________________________________
Follow-up Comment #1:
The solution for this is really simple: the variable indexing the options was
an u8_t. Adding an option-length of nearly 0xff lead to that u8_t overflowing
which is why tcp_parseopt looped endlessly.
However, in contrast to the suggestion to drop this packet, I decided to stay
with ignoring further options if such a malformed packet is received: it's
what we did until now. After all, the only option we can handle is MSS...
Thanks for the submitting this, Fabian.
Checked in the fix.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?24596>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.nongnu.org/