[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [patch #9209] udp/raw: prevent packet length overflows
From: |
David van Moolenbroek |
Subject: |
[lwip-devel] [patch #9209] udp/raw: prevent packet length overflows |
Date: |
Thu, 5 Jan 2017 22:26:52 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 |
URL:
<http://savannah.nongnu.org/patch/?9209>
Summary: udp/raw: prevent packet length overflows
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: dcvmoole
Submitted on: Thu 05 Jan 2017 10:26:50 PM GMT
Category: UDP
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Details:
Commit message reproduced below.
I'd be more confident if tot_len overflows were checked everywhere, but I
understand that they are intentionally tolerated for TCP with window scaling.
I /believe/ that the checks added by this patch are both complete for the
problem at hand and not interfering with the TCP case. I have tested the
former as well as I can, but I cannot test the latter.
FWIW, it looks like similar problems could be triggered at the ethernet level,
but I think it's safe to assume that a reasonable MTU will prevent such cases
there. More asserts would probably be nice, but at least the TCP window
scaling case makes it hard to do that easily in a centralized place (eg
pbuf_cat()).
===
Previously, on netifs with unrestricted MTUs (typically loopback interfaces),
it was possible to give a packet to the UDP/RAW API calls that is so large
that when prepending headers, the pbuf's tot_len field would overflow. This
could easily result in undesirable behavior at lower layers, e.g. a crash when
copying the packet for later delivery.
This patch models such overflows as memory allocation errors, thus resulting
in clean failures. Checks have to be added in multiple places to cover
(hopefully) all cases.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Thu 05 Jan 2017 10:26:50 PM GMT Name:
0001-udp-raw-prevent-packet-length-overflows.patch Size: 3kB By: dcvmoole
<http://savannah.nongnu.org/patch/download.php?file_id=39384>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/patch/?9209>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [patch #9209] udp/raw: prevent packet length overflows,
David van Moolenbroek <=