Any malicous segment could contain a SYN up to now (no check).
A SYN in the wrong segment could break OOSEQ queueing.
Fix this by allowing SYN only in states where it is required.
See bug #56397: Assert "tcp_receive: ooseq tcplen > rcv_wnd"
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
This uses VirtualAlloc/VirtualProtect on windows to simulate RX buffers
that are readonly to lwIP (see task #14807).
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
This adds some basic checks to the subroutines of eap_input to check
that we have requested or agreed to doing EAP authentication before
doing any processing on the received packet. The motivation is to
make it harder for a malicious peer to disrupt the operation of pppd
by sending unsolicited EAP packets. Note that eap_success() already
has a check that the EAP client state is reasonable, and does nothing
(apart from possibly printing a debug message) if not.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Sylvain Rochet <gradator@gradator.net> (ported to lwIP PPP pcb struct)
Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname). This fixes the check so we
actually avoid overflowing the rhostname array.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Sylvain Rochet <gradator@gradator.net> (compiler warning fix about int vs uint comparisons)
When we have multiple netifs where at least one has checksum offloading
capabilities, IP forwarding needs to set various checksum fields to 0
to prevent HW algorithms on calculating an invalid checksum.
-> set checksum fields of IP/UDP/TCP/ICMP to 0 in ip4_forward().
See bug #56288
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
This is just to keep the code clean and prevent using the "echo" header
where any ICMP header is meant.
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
See bug #57445. Short version of the description there: lwip_select() failed
to decrement 'select_waiting' of a socket since that code part failed on
'free_pending' sockets. However, the code does not have to check that as it
has marked the socket to be in use itself earlier.
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
Use 'PBUF_IP_HLEN+PBUF_TRANSPORT_HLEN' instead of '40' to calculate
PBUF_POOL_BUFSIZE (the size of each PBUF_POOL buffer) since the former
can be 60 when IPv6 is enabled.
See bug #56355
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
This converts all ppp_*() debug functions to ppp_*(()) macros that
ensure the code is left out by the linker if the corresponding debug
setting is disabled.
Downside is that many lines of code are touched, but since these
already differ to upstream PPP sources, I figured that's ok...
See bug #55199
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
In order to reuse the debug-enable checks for PPP debug macros,
move the flag and level checks from LWIP_DEBUGF to a new macro
that can be used elsewhere.