If the hostname is not set in the DISCOVER packet, then some servers might
issue an OFFER with hostname configured and consequently reject the REQUEST
with any other hostname.
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
Co-Authored-By: Simon Goldschmidt <goldsimon@gmx.de>
Enables to configure:
* DHCP_COARSE_TIMER_SECS
* if DHCP_DEFINE_CUSTOM_TIMEOUTS defined these addtional options are
available:
- DHCP_CALC_TIMEOUT_FROM_OFFERED_T0_LEASE to adjust the t0 lease timeout from the offered value
- DHCP_CALC_TIMEOUT_FROM_OFFERED_T1_RENEW same for t1 renew
- DHCP_CALC_TIMEOUT_FROM_OFFERED_T2_REBIND same for t2 rebind
- DHCP_NEXT_TIMEOUT_THRESHOLD to adjust the period of the next timeout
- DHCP_REQUEST_BACKOFF_SEQUENCE to adjust back-off times based on DHCP
request attempts
Also updates timeout type from u16 to u32 - eps useful when DHCP_COARSE_TIMER_SECS is a smaller number
Reproducer (in bash):
base64 -d <<< "H4sIAP/9L2QCA+3WoQ2AMBSE4QoCTFHBBJfgSRF4RDfpRmgmYBpGQRBCk4ZiSfk/+fJMK+5dZRVpzSQzSs6oPierDV4y87WxLQLwE42SfNCdDyHJB9/xZwAARPbMJbUq4JJmu4JVT1cAAACfbGIqoqcMzy90eu+aBw2+N28WFgAA" | gunzip | test/fuzz/lwip_fuzz2
Crash log:
../../src/core/altcp_tcp.c:178:13: runtime error: member access within null pointer of type 'struct tcp_pcb'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/core/altcp_tcp.c:178:13 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==192415==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x557065081703 bp 0x0aae0cb71204 sp 0x7ffd034dabc0 T0)
==192415==The signal is caused by a READ memory access.
==192415==Hint: address points to the zero page.
#0 0x557065081703 in altcp_tcp_setup_callbacks /.../lwip/test/fuzz/../../src/core/altcp_tcp.c:178:19
#1 0x55706508206f in altcp_tcp_setup /.../lwip/test/fuzz/../../src/core/altcp_tcp.c:189:3
#2 0x55706508206f in altcp_tcp_accept /.../lwip/test/fuzz/../../src/core/altcp_tcp.c:84:5
#3 0x557065095592 in tcp_input /.../lwip/test/fuzz/../../src/core/tcp_in.c:380:9
#4 0x5570650e752f in ip4_input /.../lwip/test/fuzz/../../src/core/ipv4/ip4.c:743:9
#5 0x55706513d4de in ethernet_input /.../lwip/test/fuzz/../../src/netif/ethernet.c:186:9
#6 0x557064fe0959 in input_pkt /.../lwip/test/fuzz/fuzz_common.c:209:9
#7 0x557064fdeb6a in input_pkts /.../lwip/test/fuzz/fuzz_common.c:257:9
#8 0x557064fdeb6a in lwip_fuzztest /.../lwip/test/fuzz/fuzz_common.c:669:3
#9 0x7ff4f578e189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x7ff4f578e244 in __libc_start_main csu/../csu/libc-start.c:381:3
#11 0x557064f20420 in _start (/.../lwip/test/fuzz/lwip_fuzz2+0x81420) (BuildId: 8680a96430d5749c90111fe9c3a3d4f881a5dbcd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /.../lwip/test/fuzz/../../src/core/altcp_tcp.c:178:19 in altcp_tcp_setup_callbacks
==192415==ABORTING
Aborted
When a registered netif ext-callback unregisters itself when being
called (e.g. because some state is reached by this event), the invoke
iteration might access uninitialized memory or at least stop the
iteration (because next is set to null).
Fix his by caching the next pointer during iteration before calling
callbacks.
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
It turns out the crash only occurs if LWIP_DEBUG is enabled. If the
parameter dest is NULL the function tries to find a route using the
destination address of the packet instead. If this fails as well a
debug message is printed but it is still using dest causing a NULL
pointer dereference and crash at src/core/ipv6/ip6.c line 1312.
[erik@kryo.se: Apply fix to ip6_output_hinted as well]
This simple patch causes tcp_listen() to inherit the netbuf_idx setting
of the original pcb. Without this, it is not possible to restrict a
socket to a specific interface using SO_BINDTODEVICE before listening.
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
Like pbuf_copy, but can copy part of a pbuf to an offset in another.
pbuf_copy now uses this function internally.
Replace pbuf_take_at loop in icmp6 with pbuf_copy_partial_pbuf().
Fixes bug #58553, and the newly added unit test.
The pbuf_take_at loop should probably be made into a pbuf library
function, which would avoid this mistake in the future and provide
a simpler implementation of pbuf_copy.
Building PPP CCP support without adding any compressor support serve
no real use case. Forbid doing so instead of bloating the code with
more ifdef.
Signed-off-by: Sylvain Rochet <gradator@gradator.net>
Any malicous segment could contain a SYN up to now (no check).
A SYN in the wrong segment could break OOSEQ queueing.
Fix this by allowing SYN only in states where it is required.
See bug #56397: Assert "tcp_receive: ooseq tcplen > rcv_wnd"
Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>