[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #55706] LWIP_ASSERT in tcp_receive fails
From: |
Hiromasa ITO |
Subject: |
[lwip-devel] [bug #55706] LWIP_ASSERT in tcp_receive fails |
Date: |
Wed, 13 Feb 2019 04:02:37 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 |
URL:
<https://savannah.nongnu.org/bugs/?55706>
Summary: LWIP_ASSERT in tcp_receive fails
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: vhertz
Submitted on: Wed 13 Feb 2019 09:02:35 AM UTC
Category: TCP
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
Hi, all.
I found a testcase fails in LWIP_ASSERT in tcp_receive().
(by fuzzing with AFL)
The LWIP_ASSERT is at tcp_in.c:1532 in lwIP v2.1.2.
This if-block includes the LWIP_ASSERT.
/* --- code snippet start --- */
if (next &&
TCP_SEQ_GT(seqno + tcplen,
next->tcphdr->seqno)) {
inseg.len = (u16_t)(next->tcphdr->seqno - seqno);
if (TCPH_FLAGS(inseg.tcphdr) & TCP_SYN) {
inseg.len -= 1;
}
pbuf_realloc(inseg.p, inseg.len);
tcplen = TCP_TCPLEN(&inseg);
/* fails this assertion */
LWIP_ASSERT("tcp_receive: segment not trimmed correctly to ooseq queue\n",
(seqno + tcplen) == next->tcphdr->seqno);
}
/* --- code snippet end --- */
In the testcase, arguments of assertion were as below.
seqno : 0x93d897e7
tcplen : 0xffff

next->tcphdr->seqno : 0x93d897e6
and, the value of tcplen before the block was 0x0001.
inseg.len is assigned to tcplen.
(next->tcphdr->seqno - seqno) is assigned to inseg.len.
In this case, the value of (next->tcphdr->seqno - seqno) is 0xffffffff.
So, this value is out of range of u16_t.
I think, we need to add some other validation checks.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?55706>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #55706] LWIP_ASSERT in tcp_receive fails,
Hiromasa ITO <=