[lwip-devel] [patch #10124] bug: LWIP_DHCP_MAX_DNS_SERVERS < DNS_MAX_SERVERS is causing memory corruption

[Borys Szefler]

URL:
  <https://savannah.nongnu.org/patch/?10124>

                 Summary: bug: LWIP_DHCP_MAX_DNS_SERVERS < DNS_MAX_SERVERS is
causing memory corruption
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: bsz
            Submitted on: Tue 19 Oct 2021 08:33:42 AM UTC
                Category: DHCP
                Priority: 7 - High
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None

    _______________________________________________________

Details:

Bug reproduction: 

#define LWIP_DHCP_MAX_DNS_SERVERS 1
#define DNS_MAX_SERVERS 2

Bug cause:
 In above case DHCP_OPTION_IDX_MAX = 9, so dhcp_rx_options_val and  
dhcp_rx_options_given tables have size = 9.

 Then in dhcp_parse_reply function(dhcp.c file) we have 
decode_len = LWIP_MIN(len, 4 * DNS_MAX_SERVERS); which next is causing
incrementing decode_idx to 9 and reading/writing above tables with idx = 9
which is causing memory corruption.

Using LWIP_DHCP_PROVIDE_DNS_SERVERS instead of DNS_MAX_SERVERS in
 decode_len = LWIP_MIN(len, 4 * DNS_MAX_SERVERS); resolves this problem



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 19 Oct 2021 08:33:42 AM UTC  Name:
dhcp_max_servers_memory_corruption_fix.patch  Size: 645B   By: bsz

<http://savannah.nongnu.org/patch/download.php?file_id=52123>

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/patch/?10124>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/