Summary
FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. An issue exists where, under certain circumstances, an integer underflow in the ICMP and ICMPv6 echo reply handlers allows an adjacent network device to cause a denial of service in devices with memory protection.
Impact
When ipconfigSUPPORT_OUTGOING_PINGS is enabled (default is disabled) and IP header validation is bypassed, crafted ICMP and ICMPv6 Echo Reply packets can cause the library to subtract header sizes from a packet length field without validating the field is large enough. When the length field is smaller than the header size, the subtraction underflows, producing a large value used as a loop bound. This causes the function to read past the end of the network buffer.
On devices with memory protection, this results in a crash (denial of service). The out-of-bounds data is compared locally and not transmitted.
Impacted versions: >=V4.0.0 AND <=V4.2.5, >=V4.3.0 AND <=V4.4.0
Patches
This issue has been addressed in FreeRTOS-Plus-TCP version V4.4.1 and V4.2.6. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds
This issue can be mitigated by disabling ipconfigSUPPORT_OUTGOING_PINGS or updating to an unaffected version of FreeRTOS-Plus-TCP.
References
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Summary
FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. An issue exists where, under certain circumstances, an integer underflow in the ICMP and ICMPv6 echo reply handlers allows an adjacent network device to cause a denial of service in devices with memory protection.
Impact
When ipconfigSUPPORT_OUTGOING_PINGS is enabled (default is disabled) and IP header validation is bypassed, crafted ICMP and ICMPv6 Echo Reply packets can cause the library to subtract header sizes from a packet length field without validating the field is large enough. When the length field is smaller than the header size, the subtraction underflows, producing a large value used as a loop bound. This causes the function to read past the end of the network buffer.
On devices with memory protection, this results in a crash (denial of service). The out-of-bounds data is compared locally and not transmitted.
Impacted versions: >=V4.0.0 AND <=V4.2.5, >=V4.3.0 AND <=V4.4.0
Patches
This issue has been addressed in FreeRTOS-Plus-TCP version V4.4.1 and V4.2.6. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds
This issue can be mitigated by disabling ipconfigSUPPORT_OUTGOING_PINGS or updating to an unaffected version of FreeRTOS-Plus-TCP.
References
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.