[En-Nut-Announce] Nut/OS Security Alert
Harald Kipp
harald.kipp at egnite.de
Thu Oct 2 20:12:45 CEST 2008
A few days ago I received an email, in which the poster claimed to have
found a severe security issue. In the very first moment I was a bit
amused: How can this single processing OS for simple RISC targets
provide a security hole? I asked for more details.
After reading the details I was no longer amused. I still didn't follow
the whole mechanism, but it seems to be possible to read from and even
write to memory locations by simple malformed ICMP echo request (ping).
The central problem is, that net/ipin.c only checks the minimum IP
header size, which enables an attacker to access memory beyond the
allocated NETBUF.
Replacing
if (ip_hdrlen < sizeof(IPHDR)) {
by
if (ip_hdrlen != sizeof(IPHDR)) {
in net/ipin.c near line 190 will solve this, but most likely similar
problems exists in other part of the TCP/IP stack.
Regards,
Harald Kipp
More information about the En-Nut-Announce
mailing list