You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found a security issue in picoTCP v1.7.0 and picoTCP-NG v2.1. It's a double free bug in function pico_fragments_reassemble (Line 362 and Line 364 in modules/pico_fragments.c ).
In function pico_transport_receive, when the switch goes into a default branch, it would release f (Line 239 in stack/pico_stack.c) and return -1. However, after -1 have been return from pico_transport_receive(full, proto) (Line 362 in modules/pico_fragments.c), another pico_frame_discard(full)(Line 364 in modules/pico_fragments.c) would be called and pico_frame_discard release full again. This leads a double free bug.
The text was updated successfully, but these errors were encountered:
I found a security issue in picoTCP v1.7.0 and picoTCP-NG v2.1. It's a double free bug in function
pico_fragments_reassemble
(Line 362 and Line 364 in modules/pico_fragments.c ).In function
pico_transport_receive
, when the switch goes into a default branch, it would releasef
(Line 239 instack/pico_stack.c
) and return -1. However, after -1 have been return frompico_transport_receive(full, proto)
(Line 362 inmodules/pico_fragments.c
), anotherpico_frame_discard(full)
(Line 364 inmodules/pico_fragments.c
) would be called andpico_frame_discard
releasefull
again. This leads a double free bug.The text was updated successfully, but these errors were encountered: