| Titel | lwIP 2.1.0 Stack-based Buffer Overflow |
|---|
| Beschreibung | A critical pre-authentication stack buffer overflow vulnerability was identified in lwIP (Lightweight IP), the dominant TCP/IP stack for RTOS-based embedded systems. The vulnerability exists in the SNMPv3 USM (User-based Security Model) parameter parsing function snmp_parse_inbound_frame() in src/apps/snmp/snmp_msg.c.
At line 949, a bounds check for the msgAuthenticationParameters field is commented out:
/* IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH); */
The subsequent call to snmp_asn1_dec_raw() at lines 950-951 passes the attacker-controlled BER-encoded length (tlv.value_len, type u16_t) as both the read length and the maximum buffer size parameter (buf_max_len). This makes the function's internal bounds check (if (len > buf_max_len) at snmp_asn1.c:591) self-defeating -- it evaluates as x > x, which is always false.
The destination buffer msg_authentication_parameters is a fixed 12-byte array (SNMP_V3_MAX_AUTH_PARAM_LENGTH, defined in snmpv3_priv.h:49) allocated within struct snmp_request, which is a stack-local variable (declared at snmp_msg.c:289). An attacker-supplied BER-encoded OCTET STRING with a length exceeding 12 bytes will overflow this buffer into adjacent struct fields, saved registers, and the return address.
The overflow occurs during USM security parameter parsing (line 950), BEFORE the HMAC authentication check (line 1035). No credentials are required. A single UDP packet to port 161 triggers the vulnerability.
An additional u8_t truncation at line 952 (request->msg_authentication_parameters_len = (u8_t)u16_value) means a 256-byte payload produces a stored length of 0, bypassing the post-hoc safety check at line 1041.
This vulnerability was introduced in commit f092d091 on 2017-03-01 (author: Marco Veeneman, "Added handling invalid packets in SNMPv3"), where an originally active bounds check assert was commented out. It is present in all lwIP releases from 2.1.0 through the current 2.2.1 and the master branch. The 2.0.x series does not contain this commit.
For proof that this is a bug and not design: the adjacent msgPrivacyParameters decode at lines 961-962 correctly passes the compile-time constant SNMP_V3_MAX_PRIV_PARAM_LENGTH as buf_max_len. The auth parameters line is the only one that passes tlv.value_len to itself.
The vulnerability has been acknowledged and patched - it needs a CVE id for tracking
https://savannah.nongnu.org/bugs/?68194
https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c |
|---|
| Quelle | ⚠️ https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c |
|---|
| Benutzer | 0rbitingZer0 (UID 96146) |
|---|
| Einreichung | 14.05.2026 17:17 (vor 21 Tagen) |
|---|
| Moderieren | 18.05.2026 16:24 (4 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 364474 [lwIP bis 2.2.1 snmpv3 USM src/apps/snmp/snmp_msg.c snmp_parse_inbound_frame msgAuthenticationParameters Pufferüberlauf] |
|---|
| Punkte | 20 |
|---|