lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [patch #9209] udp/raw: prevent packet length overflows

From: David van Moolenbroek
Subject: [lwip-devel] [patch #9209] udp/raw: prevent packet length overflows
Date: Thu, 5 Jan 2017 22:26:52 +0000 (UTC)
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
URL:
  <http://savannah.nongnu.org/patch/?9209>

                 Summary: udp/raw: prevent packet length overflows
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: dcvmoole
            Submitted on: Thu 05 Jan 2017 10:26:50 PM GMT
                Category: UDP
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None

    _______________________________________________________

Details:

Commit message reproduced below.

I'd be more confident if tot_len overflows were checked everywhere, but I
understand that they are intentionally tolerated for TCP with window scaling.
I /believe/ that the checks added by this patch are both complete for the
problem at hand and not interfering with the TCP case. I have tested the
former as well as I can, but I cannot test the latter.

FWIW, it looks like similar problems could be triggered at the ethernet level,
but I think it's safe to assume that a reasonable MTU will prevent such cases
there. More asserts would probably be nice, but at least the TCP window
scaling case makes it hard to do that easily in a centralized place (eg
pbuf_cat()).

===

Previously, on netifs with unrestricted MTUs (typically loopback interfaces),
it was possible to give a packet to the UDP/RAW API calls that is so large
that when prepending headers, the pbuf's tot_len field would overflow. This
could easily result in undesirable behavior at lower layers, e.g. a crash when
copying the packet for later delivery.

This patch models such overflows as memory allocation errors, thus resulting
in clean failures. Checks have to be added in multiple places to cover
(hopefully) all cases.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Thu 05 Jan 2017 10:26:50 PM GMT  Name:
0001-udp-raw-prevent-packet-length-overflows.patch  Size: 3kB   By: dcvmoole

<http://savannah.nongnu.org/patch/download.php?file_id=39384>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/patch/?9209>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]