|
1 | 1 | Documentation and download available at https://www.FreeRTOS.org/ |
2 | 2 |
|
3 | 3 | Changes between FreeRTOS-plus-TCP V4.3.4 and V4.3.3 released October 10, 2025: |
4 | | - + Fixed possible buffer over read when processing ICMPv6 packets of |
5 | | - certain message types which are smaller than the expected size. |
6 | | - + Fixed missing validation check in IPv6 packet processing code which |
7 | | - can lead to out-of-bounds read when receiving a IPv6 packet with |
8 | | - incorrect payload lengths in the packet header. |
9 | | - + Fixed possible NULL pointer dereference when IPv6 link local endpoint |
10 | | - is not present in the system when IPv6 is enabled. |
11 | | - + Fixed missing validation check in UDP/IPv6 packet processing code which can |
12 | | - lead to invalid pointer dereference when receiving a UDP/IPv6 packet with an |
13 | | - incorrect IP version field in the packet header. |
14 | | - We would like to thank Ivan Gotovchits on behalf of Mayhem Security for |
15 | | - collaborating on above issues through the coordinated vulnerability disclosure process. |
| 4 | + + The implementation lacked sufficient checks to ensure that received packets |
| 5 | + meet the minimum size requirements for certain ICMPv6 message types, leading to |
| 6 | + out-of-bounds read operations when processing packets smaller than the expected |
| 7 | + size. This issue has been fixed by adding checks to prevent out-of-bounds reads. |
| 8 | + The implementation lacked sufficient checks to prevent null pointer dereference |
| 9 | + when an IPv6 multicast packet is received on a device not configured with a |
| 10 | + link-local endpoint. This issue has been fixed by adding checks to prevent |
| 11 | + null pointer dereference. |
| 12 | + + The implementation lacked sufficient checks to validate the payload length field |
| 13 | + in the IPv6 packet header. This allowed malicious packets with incorrect payload |
| 14 | + lengths to cause integer wraparound, resulting in erroneously large calculated |
| 15 | + payload length. This inflated payload length bypassed the existing |
| 16 | + bounds-checking mechanisms, leading to out-of-bounds read operations. This issue |
| 17 | + has been fixed by adding checks to validate the payload length field in the IPv6 |
| 18 | + packet header. |
| 19 | + + The implementation lacked sufficient checks to validate the IP version field |
| 20 | + when a UDP/IPv6 packet is received with ipconfigDRIVER_INCLUDED_RX_IP_CHECKSUM |
| 21 | + disabled. This allowed the processing of packets with an incorrect IP version |
| 22 | + field instead of rejecting them early. Subsequent attempts to extract network |
| 23 | + buffers from these invalid UDP packets could result in dereferencing of an |
| 24 | + invalid pointer due to incorrect pointer arithmetic. |
| 25 | + We would like to thank Ivan Gotovchits of Mayhem Security for collaborating on |
| 26 | + this issue through the coordinated vulnerability disclosure process. |
16 | 27 |
|
17 | 28 | Changes between FreeRTOS-plus-TCP V4.3.3 and V4.3.2 released June 10, 2025: |
18 | 29 | + Fixed maximum network buffer allocation size check when buffer |
|
0 commit comments