Merge branch 'bugfix/backport_some_lwip_bugs_0917_v3.1' into 'release/v3.1'

lw-ip:backport bugfix lw-ip for v3.1 See merge request espressif/esp-idf!10505
2024-10-05 20:47:46 -04:00 · 2020-09-23 14:07:36 +08:00 · 2020-09-23 14:07:36 +08:00 · f3a1e65a9d
commit f3a1e65a9d
parent a981063bf0 c3457fda21
2 changed files with 25 additions and 11 deletions
--- a/components/lwip/core/ipv4/dhcp.c
+++ b/components/lwip/core/ipv4/dhcp.c
@ -1590,8 +1590,8 @@ dhcp_parse_reply(struct dhcp *dhcp, struct pbuf *p)
 again:
  q = p;
  while ((q != NULL) && (options_idx >= q->len)) {
-    options_idx -= q->len;
+    options_idx = (u16_t)(options_idx - q->len);
-    options_idx_max -= q->len;
+    options_idx_max = (u16_t)(options_idx_max - q->len);
    q = q->next;
  }
  if (q == NULL) {
@ -1606,7 +1606,11 @@ again:
    u8_t len;
    u8_t decode_len = 0;
    int decode_idx = -1;
-    u16_t val_offset = offset + 2;
+    u16_t val_offset = (u16_t)(offset + 2);
    if (val_offset < offset) {
      /* overflow */
      return ERR_BUF;
    }
    /* len byte might be in the next pbuf */
    if (offset + 1 < q->len) {
      len = options[offset + 1];
@ -1679,7 +1683,11 @@ again:
        LWIP_DEBUGF(DHCP_DEBUG, ("skipping option %"U16_F" in options\n", op));
        break;
    }
-    offset += len + 2;
+    if ((u32_t)(offset + len + 2) > 0xFFFF) {
      /* overflow */
      return ERR_BUF;
    }
    offset = (u16_t)(offset + len + 2);
    if (decode_len > 0) {
      u32_t value = 0;
      u16_t copy_len;
@ -1690,11 +1698,17 @@ decode_next:
        pbuf_copy_partial(q, &value, copy_len, val_offset);
        if (decode_len > 4) {
          /* decode more than one u32_t */
          u16_t next_val_offset;
          //LWIP_ERROR("decode_len % 4 == 0", decode_len % 4 == 0, return ERR_VAL;);
          dhcp_got_option(dhcp, decode_idx);
          dhcp_set_option_value(dhcp, decode_idx, htonl(value));
-          decode_len -= 4;
+          decode_len = (u8_t)(decode_len - 4);
-          val_offset += 4;
+          next_val_offset = (u16_t)(val_offset + 4);
          if (next_val_offset < val_offset) {
            /* overflow */
            return ERR_BUF;
          }
          val_offset = next_val_offset;
          decode_idx++;
          goto decode_next;
        } else if (decode_len == 4) {
@ -1708,8 +1722,8 @@ decode_next:
      }
    }
    if (offset >= q->len) {
-      offset -= q->len;
+      offset = (u16_t)(offset - q->len);
-      offset_max -= q->len;
+      offset_max = (u16_t)(offset_max - q->len);
      if ((offset < offset_max) && offset_max) {
        q = q->next;
        LWIP_ASSERT("next pbuf was null", q);
--- a/components/lwip/core/ipv6/ip6.c
+++ b/components/lwip/core/ipv6/ip6.c
@ -571,7 +571,7 @@ netif_found:
      ip_data.current_ip_header_tot_len += hlen;
      /* Skip over this header. */
-      if (hlen > p->len) {
+      if (p->len < 8 || hlen > p->len) {
        LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
          ("IPv6 options header (hlen %"U16_F") does not fit in first pbuf (len %"U16_F"), IPv6 packet dropped.\n",
              hlen, p->len));
@ -594,7 +594,7 @@ netif_found:
      ip_data.current_ip_header_tot_len += hlen;
      /* Skip over this header. */
-      if (hlen > p->len) {
+      if (p->len < 8 || hlen > p->len) {
        LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
          ("IPv6 options header (hlen %"U16_F") does not fit in first pbuf (len %"U16_F"), IPv6 packet dropped.\n",
              hlen, p->len));
@ -617,7 +617,7 @@ netif_found:
      ip_data.current_ip_header_tot_len += hlen;
      /* Skip over this header. */
-      if (hlen > p->len) {
+      if (p->len < 8 || hlen > p->len) {
        LWIP_DEBUGF(IP6_DEBUG | LWIP_DBG_LEVEL_SERIOUS,
          ("IPv6 options header (hlen %"U16_F") does not fit in first pbuf (len %"U16_F"), IPv6 packet dropped.\n",
              hlen, p->len));