Wind River Systems, Inc. Information for VU#222750

TCP/IP implementations do not adequately validate ICMP error messages



Vendor Statement

In all releases after VxWorks 5.3 a hard error does not result in TCP aborting the connection. The hard error code is saved by TCP. If the connection is dropped due to a timeout this error code is available to the application. Wind River Network Stack 2.0 already checks the ICMP sequence numbers. The release of VxWorks 6.0 and the MSP updates shipping in the fall of 2004 are based on this stack.

Wind River is planning updates to the VxWorks 5.5 and 5.4 versions of the stack that will include the fix for ICMP. These updates are planned for 2005.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



Please see

If you have feedback, comments, or additional information about this vulnerability, please send us email.