From d8d1e4a0150180bc88cc14dbe17565976780bb85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonathan=20Neusch=C3=A4fer?= Date: Fri, 7 Apr 2023 15:03:19 +0200 Subject: [PATCH] altcp: Fix NULL pointer dereference found by fuzzing Reproducer (in bash): base64 -d <<< "H4sIAP/9L2QCA+3WoQ2AMBSE4QoCTFHBBJfgSRF4RDfpRmgmYBpGQRBCk4ZiSfk/+fJMK+5dZRVpzSQzSs6oPierDV4y87WxLQLwE42SfNCdDyHJB9/xZwAARPbMJbUq4JJmu4JVT1cAAACfbGIqoqcMzy90eu+aBw2+N28WFgAA" | gunzip | test/fuzz/lwip_fuzz2 Crash log: ../../src/core/altcp_tcp.c:178:13: runtime error: member access within null pointer of type 'struct tcp_pcb' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/core/altcp_tcp.c:178:13 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==192415==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x557065081703 bp 0x0aae0cb71204 sp 0x7ffd034dabc0 T0) ==192415==The signal is caused by a READ memory access. ==192415==Hint: address points to the zero page. #0 0x557065081703 in altcp_tcp_setup_callbacks /.../lwip/test/fuzz/../../src/core/altcp_tcp.c:178:19 #1 0x55706508206f in altcp_tcp_setup /.../lwip/test/fuzz/../../src/core/altcp_tcp.c:189:3 #2 0x55706508206f in altcp_tcp_accept /.../lwip/test/fuzz/../../src/core/altcp_tcp.c:84:5 #3 0x557065095592 in tcp_input /.../lwip/test/fuzz/../../src/core/tcp_in.c:380:9 #4 0x5570650e752f in ip4_input /.../lwip/test/fuzz/../../src/core/ipv4/ip4.c:743:9 #5 0x55706513d4de in ethernet_input /.../lwip/test/fuzz/../../src/netif/ethernet.c:186:9 #6 0x557064fe0959 in input_pkt /.../lwip/test/fuzz/fuzz_common.c:209:9 #7 0x557064fdeb6a in input_pkts /.../lwip/test/fuzz/fuzz_common.c:257:9 #8 0x557064fdeb6a in lwip_fuzztest /.../lwip/test/fuzz/fuzz_common.c:669:3 #9 0x7ff4f578e189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #10 0x7ff4f578e244 in __libc_start_main csu/../csu/libc-start.c:381:3 #11 0x557064f20420 in _start (/.../lwip/test/fuzz/lwip_fuzz2+0x81420) (BuildId: 8680a96430d5749c90111fe9c3a3d4f881a5dbcd) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /.../lwip/test/fuzz/../../src/core/altcp_tcp.c:178:19 in altcp_tcp_setup_callbacks ==192415==ABORTING Aborted --- src/core/altcp_tcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/altcp_tcp.c b/src/core/altcp_tcp.c index fd6a6a5e..4f21b703 100644 --- a/src/core/altcp_tcp.c +++ b/src/core/altcp_tcp.c @@ -75,7 +75,7 @@ static err_t altcp_tcp_accept(void *arg, struct tcp_pcb *new_tpcb, err_t err) { struct altcp_pcb *listen_conn = (struct altcp_pcb *)arg; - if (listen_conn && listen_conn->accept) { + if (new_tpcb && listen_conn && listen_conn->accept) { /* create a new altcp_conn to pass to the next 'accept' callback */ struct altcp_pcb *new_conn = altcp_alloc(); if (new_conn == NULL) {