search

apsun / loliOS

Lightweight & operational Linux-inspired OS.
33 stars 1 forks source link

TCP memory corruption #31

Closed apsun closed 2 years ago

apsun commented 2 years ago

Repro steps:

  1. Enable TCP_DEBUG_DROP
  2. Set TCP_FIN_TIMEOUT_MS to a smaller value (e.g. 6000) to make it go faster
  3. Repeatedly run testsocket

This seems to always corrupt 8 bytes within an object in a pattern similar to list_t (self-referential pointer). I'm strongly suspecting a use-after-free, since the other fields within the object are not smashed. Timer seems like the prime culprit at the moment since it gets used during packet loss, and it touches list_t.

apsun commented 2 years ago

Fairly sure this was 292d9e7584396773ae982c6d5d1641aa1eca6f79