Headline
CVE-2022-1841: Out-of-Bound Write in tcp_flags
In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.
Impact
In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN
or CWR , the buf will out-of-bounds write a byte zero.
When a malformed tcp packet is received, the tcp_flags function does not check the
validity of the parameters, but directly parses the th_flags field in TCP header. When
th_flags is ECN or CWR , in the tcp_flags function, len is always 0, and buf[0-1] will be
written ‘\0’ . This will modify other data on the stack.
Patches
- main: #45796
For more information
If you have any questions or comments about this advisory:
- Open an issue in zephyr
- Email us at Zephyr-vulnerabilities
embargo: 2022-08-18