I found a security issue in picoTCP v1.7.0 and picoTCP-NG v2.1. It's a double free bug in function pico_fragments_reassemble (Line 362 and Line 364 in modules/pico_fragments.c ).
In function pico_transport_receive, when the switch goes into a default branch, it would release f (Line 239 in stack/pico_stack.c) and return -1. However, after -1 have been return from pico_transport_receive(full, proto) (Line 362 in modules/pico_fragments.c), another pico_frame_discard(full)(Line 364 in modules/pico_fragments.c) would be called and pico_frame_discard release full again. This leads a double free bug.
The text was updated successfully, but these errors were encountered:
I found a security issue in picoTCP v1.7.0 and picoTCP-NG v2.1. It's a double free bug in function
pico_fragments_reassemble(Line 362 and Line 364 in modules/pico_fragments.c ).In function
pico_transport_receive, when the switch goes into a default branch, it would releasef(Line 239 instack/pico_stack.c) and return -1. However, after -1 have been return frompico_transport_receive(full, proto)(Line 362 inmodules/pico_fragments.c), anotherpico_frame_discard(full)(Line 364 inmodules/pico_fragments.c) would be called andpico_frame_discardreleasefullagain. This leads a double free bug.The text was updated successfully, but these errors were encountered: