Impact
In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN
or CWR , the buf will out-of-bounds write a byte zero.
When a malformed tcp packet is received, the tcp_flags function does not check the
validity of the parameters, but directly parses the th_flags field in TCP header. When
th_flags is ECN or CWR , in the tcp_flags function, len is always 0, and buf[0-1] will be
written '\0' . This will modify other data on the stack.
Patches
For more information
If you have any questions or comments about this advisory:
embargo: 2022-08-18
Impact
In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN
or CWR , the buf will out-of-bounds write a byte zero.
When a malformed tcp packet is received, the tcp_flags function does not check the
validity of the parameters, but directly parses the th_flags field in TCP header. When
th_flags is ECN or CWR , in the tcp_flags function, len is always 0, and buf[0-1] will be
written '\0' . This will modify other data on the stack.
Patches
For more information
If you have any questions or comments about this advisory:
embargo: 2022-08-18