[SECURITY] Prevent rhostname array overflow
#1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added ability for the host environment to define locking functions that protect entry to the LwIP stack by the LwIP tcpip thread. This enables coordinated use of the LwIP "raw" APIs from multiple threads. This feature differs from LwIP's experimental TCPIP_CORE_LOCKING feature in that it does not alter the behavior of other LwIP APIs such as the netconn API. Note that the two features cannot be used together.
Enforce a copy of inbound buffers received from the wlan (WiFi) interface into a PBUF_POOL buffer.
Removed unnecessary inclusion of sys/ioctl.h in lwipopts.h that results in compilation errors in certain contexts where LwIP headers are included.
…ogic
Fixed a bug in LwIP source address selection logic for IPv6 packets.
This change corresponds to commit e2cb69d8d5782b35c95120860e56c08430ea238c
from tps/lwip:nest/stable
Author: james woodyatt <[email protected]>
Date: Mon Mar 9 12:49:01 2015 -0700
Jira COM-483: LWIP bad source IPv6 address selection logic.
This change corresponds to commit 192ac1284fa1b24d8cb9cd770eb8b4ece234fdc1 from tps/lwip:nest/stable
Author: Abtin Keshavarzian <[email protected]>
Date: Fri Apr 8 09:35:44 2016 -0700
ip6_addr.h: Fix the ip6_get_subnet_id() marco to return correct
subnet id
This commit changes the macro definition of ip6_get_subnet_id() in
ip6_addr.h header file, so it returns the correct subnet id for a
given ipv6 address.
This change corresponds to commit e8214e9a9d39832f5cd2268cc4eb7a3049e0cdb4
from tps/lwip:nest/stable
Author: chenshu <[email protected]>
Date: Fri Apr 8 16:22:08 2016 +0800
WEAV-1175: Send neighbor solicitation immediately for the new add
'INCOMPLETE' neighbor entry
Add support to LwIP UDP PCBs for binding to a specific interface. This change is adapted from commit 1720798ad6454de2d97ef2f0871614c29db7d970 in tps/lwip:nest/stable.
Added support for creating and managing IPv6 static routes in LwIP. This gives applications the
ability to configure additional IPv6 routes (and corresponding gateways) beyond those discovered
via IPv6 router advertisements. The change also introduces the ability to assign an IPv6 address
to an interface with a prefix length that is less than or greater than /64 (e.g. /48 or /128).
This change squashes the following commits from tps/lwip:nest/stable:
1bcf5288ce15cd9f9ba66212dca6082f558f5744 Static route table management in LwIP
0d81f966acd45499a55f50df37add7980fa150dc Fix for build breakage
050faa22689a53b874a73a5d2420d9a95034dc79 Replace entry if a prefix match is found
8a30aa1b561bc1ef3cfb69547bda39aa6a6804e6 Added function to return the head of the route table
c193a852cd7dfcc60a852e60448dcd2d1901c2eb Compare prefix length and address(upto prefix length) separately for adding to route table
6c75b0a1dbb8cfef73fbdf8fc9732867e96b5962 fix issues resulting in failures when trying to remove an IPv6 route from the route table.
Enabled support for LwIP's custom pbufs, which are required for certain Weave functionality.
Individual patch files containing all the changes necessary (to date) to make the ESP-IDF release/v3.0 version of LwIP compatible with Weave.
be the case that `vallen >= len + sizeof(rhostname)`. This PR fixes the check so the `rhostname` array does not overflow. Reported-by: Github Security Lab <[email protected]> Signed-off-by: Alvaro Muñoz <[email protected]>
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an automatically generated security fix for a vulnerability detected in your code which is a variant of CVE-2020-8597.
You can read in more detail about this vulnerability in CERT Advisory VU#782301.
The vulnerability occurs because, given that
vallenwas checked to be less thanlen, it can never be the case thatvallen >= len + sizeof(rhostname). Therefore,rhostnamenever gets trimmed and therhostnamearray may overflow.While this PR was generated for your project automatically, the supporting analysis was performed and verified by the GitHub Security Lab.
The original finding was reported by Ilja Van Sprundel from IOActive.
The proposed patch was developed by Paul Mackerras (paulusmack) from the Samba project in
paulusmack/ppp@8d7970b#diff-b7f5f2404cf3f5c09b1f8ad9364bb340.
The original vulnerability got assigned CVE-2020-8597 which has a CVSS v3.1 Base Score of 9.8/10.
Source
The source code that generated and submitted this PR is based on JLLeitschuh/bulk-security-pr-generator.
Opting-Out
This bot will respect the ROBOTS.txt format. If you'd like to opt-out of any future automated security vulnerability fixes like this, please consider adding a file called
.github/GH-ROBOTS.txtto your repository with the line:'''
User-agent: GSL/bulk-security-pr-generator
Disallow: *
'''
Alternatively, if this project is no longer actively maintained, consider archiving the repository.
CLA Requirements
This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.
It is unlikely that we will be able to directly sign CLAs. However, all contributed commits are already automatically signed-off.
If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.