Changes between FreeRTOS-plus-TCP V4.3.4 and V4.3.3 released October 10, 2025:
-
The implementation lacked sufficient checks to ensure that received packets
meet the minimum size requirements for certain ICMPv6 message types, leading to
out-of-bounds read operations when processing packets smaller than the expected
size. This issue has been fixed by adding checks to prevent out-of-bounds reads.
The implementation lacked sufficient checks to prevent null pointer dereference
when an IPv6 multicast packet is received on a device not configured with a
link-local endpoint. This issue has been fixed by adding checks to prevent
null pointer dereference. -
The implementation lacked sufficient checks to validate the payload length field
in the IPv6 packet header. This allowed malicious packets with incorrect payload
lengths to cause integer wraparound, resulting in erroneously large calculated
payload length. This inflated payload length bypassed the existing
bounds-checking mechanisms, leading to out-of-bounds read operations. This issue
has been fixed by adding checks to validate the payload length field in the IPv6
packet header. -
The implementation lacked sufficient checks to validate the IP version field
when a UDP/IPv6 packet is received with ipconfigDRIVER_INCLUDED_RX_IP_CHECKSUM
disabled. This allowed the processing of packets with an incorrect IP version
field instead of rejecting them early. Subsequent attempts to extract network
buffers from these invalid UDP packets could result in dereferencing of an
invalid pointer due to incorrect pointer arithmetic.We would like to thank Ivan Gotovchits of Mayhem Security for collaborating on
this issue through the coordinated vulnerability disclosure process.