]> granicus.if.org Git - esp-idf/commit
Merge branch 'bugfix/mdns_security_issues' into 'master'
authorIvan Grokhotkov <ivan@espressif.com>
Tue, 14 Mar 2017 13:42:06 +0000 (21:42 +0800)
committerIvan Grokhotkov <ivan@espressif.com>
Tue, 14 Mar 2017 13:42:06 +0000 (21:42 +0800)
commit577290aabaf03ca16db6a293c7768da4b365f8ca
tree156e30a38ec47af99a17e6c87bbdcea77dd05c5c
parenta9ed6d5a24191d0567b4cef79a8a02043cbe716b
parentc89e11c8fa64641edddf9a055745d825ae3fab9d
Merge branch 'bugfix/mdns_security_issues' into 'master'

Bugfix/mdns security issues

Fixes a series of security issues with MDNS.

STACK-SMASH: https://github.com/espressif/esp-idf/blob/dd3f18d2d88ee78909d4af2840dfdf0b9f715f28/components/mdns/mdns.c#L494:
The sprintf is not limited. We can execute the sprintf codeflow as
many times as we want, allowing arbitrary long data being written
into stack.

PACKET-OF-DEATH:
https://github.com/espressif/esp-idf/blob/dd3f18d2d88ee78909d4af2840dfdf0b9f715f28/components/mdns/mdns.c#L502.
The compare allows equal, and thus jumping back to it self infinite
recursion -> guaranteed crash

TXT-SMASH: https://github.com/espressif/esp-idf/blob/dd3f18d2d88ee78909d4af2840dfdf0b9f715f28/components/mdns/mdns.c#L1381
The loop does not check on reaching a->txt maximum size (1024),
resulting in stack overflow.

See merge request !576