From 47414efe0b13fcef49480615589fcb1260123670 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Mon, 21 Feb 2022 13:33:06 +0100 Subject: [PATCH] lwip: Security fixes; PPPoS null-deref; NAPT ip-forward * Cherry-pick important fixes to 2.1.2-esp - CVE-2020-22283: Attacker could craft a packet that would disclose 8 bytes of some heap memory: - icmp6: Don't copy too much data - icmp6: Fix copying of chained pbuf in reply - icmp6: keep to the RFC and send as much as possible with icmp6 error messages - CVE-2020-22284: ZEP - ZigBee Encapsulation Protocol/6LoWPAN is not supported in IDF, the netif module (zepif.c) is not included in the build, but users can still inject the file into compilation process, implement IO interface and use this. - zepif: Copy possibly chained output pbuf properly - Add #define for minimum IPv6 MTU length - pbuf: Add pbuf_copy_partial_pbuf library function * PPPoS: Fix null-deref when processing double break packet - pppos: fix in_tail null (espressif/esp-lwip@537c69d5) - PPP: Add test exhibiting empty packet null-deref (espressif/esp-lwip@202a07da) * NAPT: Fix PBUF_REF type to clone the pbuf before forwarding - IP-FORWARD: If packet-type is PBUF_REF clone it before forwarding - Add NAPT unit test to exercise NAT feature for both RAM and REF pbuf types * version: Update version numbers to match 2.1.2-esp * Update submodule: https://github.com/espressif/esp-lwip/compare/2749568fe15df2003f6c3f37f0dfd44f8f01fcd6...76303df2386902e0d7873be4217f1d9d1b50f982 - test/napt: Add unit test for IP forward with PBUF_REF (espressif/esp-lwip@76303df2) - napt: Fix PBUF_REF type to clone the pbuf before forwarding (espressif/esp-lwip@39068263) - version: Update version numbers to match 2.1.2-esp (espressif/esp-lwip@2b922919) - pppos: fix in_tail null (espressif/esp-lwip@537c69d5) - PPP: Add test exhibiting empty packet null-deref (espressif/esp-lwip@202a07da) - pbuf: Add pbuf_copy_partial_pbuf library function (espressif/esp-lwip@1c9cd9c1) - Add #define for minimum IPv6 MTU length (espressif/esp-lwip@d2dc577b) - zepif: Copy possibly chained output pbuf properly (espressif/esp-lwip@64ab7f2a) - icmp6: Don't copy too much data (espressif/esp-lwip@4a64731b) - icmp6: Fix copying of chained pbuf in reply (espressif/esp-lwip@7c822ff4) - icmp6: keep to the RFC and send as much as possible with icmp6 error messages (espressif/esp-lwip@29100ab6) - dns: Add API to clear dns cache (espressif/esp-lwip@ee59f77d) - CI: Fixed adding gitlab key (espressif/esp-lwip@5a2bdba7) - test case: modify test case test_tcp_new_max_num_remove_FIN_WAIT_1 (espressif/esp-lwip@6b090f7d) Closes https://github.com/espressif/esp-idf/issues/8300 Closes https://github.com/espressif/esp-idf/issues/8451 --- components/lwip/lwip | 2 +- components/lwip/port/esp32/include/lwipopts.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/components/lwip/lwip b/components/lwip/lwip index 2749568fe1..76303df238 160000 --- a/components/lwip/lwip +++ b/components/lwip/lwip @@ -1 +1 @@ -Subproject commit 2749568fe15df2003f6c3f37f0dfd44f8f01fcd6 +Subproject commit 76303df2386902e0d7873be4217f1d9d1b50f982 diff --git a/components/lwip/port/esp32/include/lwipopts.h b/components/lwip/port/esp32/include/lwipopts.h index 47215e99da..bb0d371c6e 100644 --- a/components/lwip/port/esp32/include/lwipopts.h +++ b/components/lwip/port/esp32/include/lwipopts.h @@ -1007,6 +1007,7 @@ #define ESP_LWIP_SELECT 1 #define ESP_LWIP_LOCK 1 #define ESP_THREAD_PROTECTION 1 +#define ESP_IP_FORWARD 1 #ifdef CONFIG_LWIP_IPV6_AUTOCONFIG #define ESP_IPV6_AUTOCONFIG CONFIG_LWIP_IPV6_AUTOCONFIG