RT-Thread Version
tested HEAD, commit 38c007a
Hardware Type/Architectures
independent (Bug is in lwip-dhcpd C implementation)
Develop Toolchain
Other
Describe the bug
Summary
A buffer over-read vulnerability exists in RT-Thread's DHCP server implementation (components/net/lwip-dhcpd/dhcp_server.c) where the DHCP option parsing loop has no bounds check on the input buffer position, allowing a crafted DHCP packet to read past the allocated buffer.
Details
File: components/net/lwip-dhcpd/dhcp_server.c, line 346
The DHCP options parsing loop uses while(finished == 0) to iterate through options in the received packet. The loop reads option type and length fields from the packet data but does NOT check whether the current read position exceeds the packet buffer boundary.
/* dhcp_server.c:346 */
while(finished == 0) {
/* reads option type and length from packet data */
/* NO check that position < packet_length */
}Since DHCP packets are received over the network with no authentication, this is reachable pre-authentication on the local network segment.
PoC
Send a crafted DHCP packet on the local network segment with:
- Valid DHCP header (op=1, htype=1, hlen=6)
- Options section containing a chain of options where each option's length field points past the end of the packet
- No DHCP_OPTION_END (0xFF) marker
The server's option parsing loop will read past the packet buffer boundary until it hits unmapped memory (crash) or reads adjacent heap data (info leak).
Build and run the RT-Thread DHCP server component with AddressSanitizer enabled to observe the over-read:
# Cross-compile RT-Thread with ASAN, enable lwip-dhcpd,
# send crafted DHCP DISCOVER on the local interface
Other additional context
Impact
- Out-of-bounds read from the packet buffer
- Potential information disclosure from adjacent heap memory
- Potential crash (DoS) if reading into unmapped memory
- Affects any RT-Thread device running the built-in DHCP server
- Attack vector: adjacent network (DHCP is link-local), no authentication required
Suggested fix:
- while(finished == 0) {
+ while(finished == 0 && position < packet_length) {Also validate that position + option_length does not exceed packet_length before reading option data.
RT-Thread Version
tested HEAD, commit 38c007a
Hardware Type/Architectures
independent (Bug is in
lwip-dhcpdC implementation)Develop Toolchain
Other
Describe the bug
Summary
A buffer over-read vulnerability exists in RT-Thread's DHCP server implementation (
components/net/lwip-dhcpd/dhcp_server.c) where the DHCP option parsing loop has no bounds check on the input buffer position, allowing a crafted DHCP packet to read past the allocated buffer.Details
File:
components/net/lwip-dhcpd/dhcp_server.c, line 346The DHCP options parsing loop uses
while(finished == 0)to iterate through options in the received packet. The loop reads option type and length fields from the packet data but does NOT check whether the current read position exceeds the packet buffer boundary.Since DHCP packets are received over the network with no authentication, this is reachable pre-authentication on the local network segment.
PoC
Send a crafted DHCP packet on the local network segment with:
The server's option parsing loop will read past the packet buffer boundary until it hits unmapped memory (crash) or reads adjacent heap data (info leak).
Build and run the RT-Thread DHCP server component with AddressSanitizer enabled to observe the over-read:
Other additional context
Impact
Suggested fix:
Also validate that
position + option_lengthdoes not exceedpacket_lengthbefore reading option data.