LwIP has been defaulting to IPv6 since 2020, the bug I pointed to is an issue of the header size being wrong when IPv6 is used (not when it’s disabled), the proposed fix is calling a function to get a proper header size, that fix has not been implemented in LwIP at this time and therefore is an issue (and therefore potentially a vulnerability) in systems using LwIP from 2020 until now. I just am not sure if anything meaningful can be accomplished from such an issue.
My hunch as well, but there’s also so many commits to this repo over the years that there could be any number of exploits lurking in here. I only had time to look at a few dozen and this caught my eye but I don’t know enough about the library to know what is a real issue and what’s not.
LwIP has been defaulting to IPv6 since 2020, the bug I pointed to is an issue of the header size being wrong when IPv6 is used (not when it’s disabled), the proposed fix is calling a function to get a proper header size, that fix has not been implemented in LwIP at this time and therefore is an issue (and therefore potentially a vulnerability) in systems using LwIP from 2020 until now. I just am not sure if anything meaningful can be accomplished from such an issue.
You’re right, I had it backwards and I didn’t realize the PR was still open. It’s 4am here.
It just means you can’t respond to a ping when ipv6 is enabled. More of an annoyance bug than an exploitable one imo.
My hunch as well, but there’s also so many commits to this repo over the years that there could be any number of exploits lurking in here. I only had time to look at a few dozen and this caught my eye but I don’t know enough about the library to know what is a real issue and what’s not.