提出 #829798: lwIP 2.1.0 Stack-based Buffer Overflow情報

タイトル	lwIP 2.1.0 Stack-based Buffer Overflow
説明	A critical pre-authentication stack buffer overflow vulnerability was identified in lwIP (Lightweight IP), the dominant TCP/IP stack for RTOS-based embedded systems. The vulnerability exists in the SNMPv3 USM (User-based Security Model) parameter parsing function snmp_parse_inbound_frame() in src/apps/snmp/snmp_msg.c. At line 949, a bounds check for the msgAuthenticationParameters field is commented out: /* IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH); */ The subsequent call to snmp_asn1_dec_raw() at lines 950-951 passes the attacker-controlled BER-encoded length (tlv.value_len, type u16_t) as both the read length and the maximum buffer size parameter (buf_max_len). This makes the function's internal bounds check (if (len > buf_max_len) at snmp_asn1.c:591) self-defeating -- it evaluates as x > x, which is always false. The destination buffer msg_authentication_parameters is a fixed 12-byte array (SNMP_V3_MAX_AUTH_PARAM_LENGTH, defined in snmpv3_priv.h:49) allocated within struct snmp_request, which is a stack-local variable (declared at snmp_msg.c:289). An attacker-supplied BER-encoded OCTET STRING with a length exceeding 12 bytes will overflow this buffer into adjacent struct fields, saved registers, and the return address. The overflow occurs during USM security parameter parsing (line 950), BEFORE the HMAC authentication check (line 1035). No credentials are required. A single UDP packet to port 161 triggers the vulnerability. An additional u8_t truncation at line 952 (request->msg_authentication_parameters_len = (u8_t)u16_value) means a 256-byte payload produces a stored length of 0, bypassing the post-hoc safety check at line 1041. This vulnerability was introduced in commit f092d091 on 2017-03-01 (author: Marco Veeneman, "Added handling invalid packets in SNMPv3"), where an originally active bounds check assert was commented out. It is present in all lwIP releases from 2.1.0 through the current 2.2.1 and the master branch. The 2.0.x series does not contain this commit. For proof that this is a bug and not design: the adjacent msgPrivacyParameters decode at lines 961-962 correctly passes the compile-time constant SNMP_V3_MAX_PRIV_PARAM_LENGTH as buf_max_len. The auth parameters line is the only one that passes tlv.value_len to itself. The vulnerability has been acknowledged and patched - it needs a CVE id for tracking https://savannah.nongnu.org/bugs/?68194 https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c
ソース	⚠️ https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c
ユーザー	0rbitingZer0 (UID 96146)
送信	2026年05月14日 17:17 (21 日 ago)
モデレーション	2026年05月18日 16:24 (4 days later)
ステータス	承諾済み
VulDBエントリ	364474 [lwIP 迄 2.2.1 snmpv3 USM src/apps/snmp/snmp_msg.c snmp_parse_inbound_frame msgAuthenticationParameters メモリ破損]
ポイント	20

◂ 前概要次 ▸

Interested in the pricing of exploits?

See the underground prices here!