[lwip-devel] [bug #48402] Bug in skipping over TCP options

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #48402] Bug in skipping over TCP options

From:	Ambroz Bizjak
Subject:	[lwip-devel] [bug #48402] Bug in skipping over TCP options
Date:	Mon, 4 Jul 2016 21:30:57 +0000 (UTC)
User-agent:	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

URL:
  <http://savannah.nongnu.org/bugs/?48402>

                 Summary: Bug in skipping over TCP options
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: abizjak
            Submitted on: Mon 04 Jul 2016 09:30:55 PM GMT
                Category: TCP
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Hey,
I am looking at the code in tcp_in.c that attempts to skip over the TCP header
including TCP options (/* Move the payload pointer in the pbuf ) and I think
there it has the following issues:

1) LWIP_ASSERT("tcphdr_opt1len >= p->len"...) can actually be >, because  that
follows from "if (p->len < hdrlen_bytes) {".

2) "if (optlen > tcphdr_opt1len) {" is always true since it is equivalent to
my suggested improved assert above, i.e. to "tcphdr_opt1len > p->len" at the
time of that assert.

3) The check "if(tcphdr_optlen - tcphdr_opt1len > p->tot_len) {" verifies only
that the options fit into the pbuf chain, but the following pbuf_header call
is done without a check that the amount the pbuf is advanced does not exceed
the size of the (second) pbuf. This is a bug because pbuf_header will hit
LWIP_ERROR("increment_magnitude <= p->len"....) which will call
LWIP_PLATFORM_ASSERT if assertions are enabled.

4) This code is unnecessarily complicated, making it hard to see that my
previous points are true (or false :). Too many variables especially
"optlens", lots of mutations of such variables!




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48402>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #48402] Bug in skipping over TCP options, Ambroz Bizjak <=
- [lwip-devel] [bug #48402] Bug in skipping over TCP options, Ambroz Bizjak, 2016/07/04
  - [lwip-devel] [bug #48402] Bug in skipping over TCP options, Ambroz Bizjak, 2016/07/04
    - [lwip-devel] [bug #48402] Bug in skipping over TCP options, Simon Goldschmidt, 2016/07/08
    - [lwip-devel] [bug #48402] Bug in skipping over TCP options, Simon Goldschmidt, 2016/07/08

Prev by Date: [lwip-devel] [patch #9038] SNMP Traps with varbinds
Next by Date: [lwip-devel] [bug #48402] Bug in skipping over TCP options
Previous by thread: [lwip-devel] [bug #48398] dns: entries reused during found-callback could be aborted if ttl==0
Next by thread: [lwip-devel] [bug #48402] Bug in skipping over TCP options
Index(es):
- Date
- Thread