net: Stack Overflow with Ping (to own IP Address) via Shell

Ping to self via net shell net ping 10.42.0.2 causes a stack overflow in samples/net/sockets/echo_server. Own IPv4 address is configured via CONFIG_NET_CONFIG_MY_IPV4_ADDR="10.42.0.2".

Zephyr version: 7823374e872 release: Zephyr 4.1.0

Build with: west build --pristine -b frdm_k64f -d "k64_echo_server" samples/net/sockets/echo_server -- -DOVERLAY_CONFIG="prj.conf"

Additional Details:

The default CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE is set to 1024 by default. Refer: https://docs.zephyrproject.org/latest/develop/optimizations/footprint.html
Backtrace when the ping is happening and stack overflow occurs:


bt

#0  0x000005b8 in __udivmoddi4 ()
#1  0x00000574 in __aeabi_uldivmod ()
#2  0x00028010 in __ultoa_invert ()
#3  0x0001ea36 in vfprintf ()
#4  0x0001dfbc in snprintf ()
#5  0x00000a58 in handle_ipv4_echo_reply (ctx=<optimized out>, pkt=0x20029d14 <_k_mem_slab_buf_tx_pkts+216>, hdr=<optimized out>, icmp_hdr=<optimized out>,
   user_data=0x20008258 <ping_ctx>) at zephyr/subsys/net/lib/shell/ping.c:156
#6  0x000128fc in icmp_call_handlers (pkt=pkt@entry=0x20029d14 <_k_mem_slab_buf_tx_pkts+216>, ip_hdr=ip_hdr@entry=0x20024318 <sys_work_q_stack+408>,
   icmp_hdr=icmp_hdr@entry=0x20024ed0 <net_buf_data_tx_bufs+148>) at zephyr/subsys/net/ip/icmp.c:523
#7  0x0002464c in net_icmp_call_ipv4_handlers (pkt=pkt@entry=0x20029d14 <_k_mem_slab_buf_tx_pkts+216>, ipv4_hdr=ipv4_hdr@entry=0x20024ebc <net_buf_data_tx_bufs+128>,
   icmp_hdr=icmp_hdr@entry=0x20024ed0 <net_buf_data_tx_bufs+148>) at zephyr/subsys/net/ip/icmp.c:546
#8  0x000137f4 in net_icmpv4_input (pkt=pkt@entry=0x20029d14 <_k_mem_slab_buf_tx_pkts+216>, ip_hdr=ip_hdr@entry=0x20024ebc <net_buf_data_tx_bufs+128>)
   at zephyr/subsys/net/ip/icmpv4.c:643
#9  0x00013a2c in net_ipv4_input (pkt=pkt@entry=0x20029d14 <_k_mem_slab_buf_tx_pkts+216>, is_loopback=is_loopback@entry=true)
   at zephyr/subsys/net/ip/ipv4.c:388
#10 0x0000e07e in process_data (is_loopback=is_loopback@entry=true, pkt=pkt@entry=0x20029d14 <_k_mem_slab_buf_tx_pkts+216>) at zephyr/subsys/net/ip/net_core.c:142
#11 processing_data (pkt=pkt@entry=0x20029d14 <_k_mem_slab_buf_tx_pkts+216>, is_loopback=is_loopback@entry=true) at zephyr/subsys/net/ip/net_core.c:160
#12 0x0000e16e in net_send_data (pkt=pkt@entry=0x20029d14 <_k_mem_slab_buf_tx_pkts+216>) at zephyr/subsys/net/ip/net_core.c:405
#13 0x00013640 in icmpv4_handle_echo_request (ctx=<optimized out>, pkt=0x20029ccc <_k_mem_slab_buf_tx_pkts+144>, hdr=<optimized out>, icmp_hdr=<optimized out>, user_data=0x0 <l4_event_handler>) at zephyr/subsys/net/ip/icmpv4.c:496
#14 0x000128fc in icmp_call_handlers (pkt=pkt@entry=0x20029ccc <_k_mem_slab_buf_tx_pkts+144>, ip_hdr=ip_hdr@entry=0x20024428 <sys_work_q_stack+680>, icmp_hdr=icmp_hdr@entry=0x20024e50 <net_buf_data_tx_bufs+20>) at zephyr/subsys/net/ip/icmp.c:523
#15 0x0002464c in net_icmp_call_ipv4_handlers (pkt=pkt@entry=0x20029ccc <_k_mem_slab_buf_tx_pkts+144>, ipv4_hdr=ipv4_hdr@entry=0x20024e3c <net_buf_data_tx_bufs>, icmp_hdr=icmp_hdr@entry=0x20024e50 <net_buf_data_tx_bufs+20>) at zephyr/subsys/net/ip/icmp.c:546
#16 0x000137f4 in net_icmpv4_input (pkt=pkt@entry=0x20029ccc <_k_mem_slab_buf_tx_pkts+144>, ip_hdr=ip_hdr@entry=0x20024e3c <net_buf_data_tx_bufs>) at zephyr/subsys/net/ip/icmpv4.c:643
#17 0x00013a2c in net_ipv4_input (pkt=pkt@entry=0x20029ccc <_k_mem_slab_buf_tx_pkts+144>, is_loopback=is_loopback@entry=true) at zephyr/subsys/net/ip/ipv4.c:388
#18 0x0000e07e in process_data (is_loopback=is_loopback@entry=true, pkt=pkt@entry=0x20029ccc <_k_mem_slab_buf_tx_pkts+144>) at zephyr/subsys/net/ip/net_core.c:142
#19 processing_data (pkt=pkt@entry=0x20029ccc <_k_mem_slab_buf_tx_pkts+144>, is_loopback=is_loopback@entry=true) at zephyr/subsys/net/ip/net_core.c:160
#20 0x0000e16e in net_send_data (pkt=pkt@entry=0x20029ccc <_k_mem_slab_buf_tx_pkts+144>) at zephyr/subsys/net/ip/net_core.c:405
#21 0x00012a5c in send_icmpv6_echo_request (timeout=..., user_data=<optimized out>, params=<optimized out>, dst=<optimized out>, iface=<optimized out>, ctx=<optimized out>) at zephyr/subsys/net/ip/icmp.c:333
#22 net_icmp_send_echo_request_timeout (ctx=ctx@entry=0x20008288 <ping_ctx+48>, iface=0x20004128 <__net_if_dts_ord_95_0>, dst=dst@entry=0x2000829c <ping_ctx+68>, params=params@entry=0x2002455c <sys_work_q_stack+988>, user_data=user_data@entry=0x20008258 <ping_ctx>, timeout=...) at zephyr/subsys/net/ip/icmp.c:469
#23 0x00024638 in net_icmp_send_echo_request_no_wait (ctx=ctx@entry=0x20008288 <ping_ctx+48>, iface=<optimized out>, dst=dst@entry=0x2000829c <ping_ctx+68>, params=params@entry=0x2002455c <sys_work_q_stack+988>, user_data=user_data@entry=0x20008258 <ping_ctx>) at zephyr/subsys/net/ip/icmp.c:496
#24 0x0000b9c8 in ping_work (work=0x20008258 <ping_ctx>) at zephyr/subsys/net/lib/shell/ping.c:275
#25 0x0001c986 in work_queue_main (workq_ptr=0x20008c30 <k_sys_work_q>, p2=<optimized out>, p3=<optimized out>) at zephyr/kernel/work.c:684
#26 0x00002356 in z_thread_entry (entry=0x1c8f5 <work_queue_main>, p1=0x20008c30 <k_sys_work_q>, p2=0x0 <l4_event_handler>, p3=0x0 <l4_event_handler>) at zephyr/lib/os/thread_entry.c:48
#27 0xaaaaaaaa in ?? ()

At this point stack limit is reached when entering __udivmoddi4 ()


print $sp
$3 = (void *) 0x200241c0 <sys_work_q_stack+64>

Upon executing the next instruction we get:


uart:~$ net ping 10.42.0.2
PING 10.42.0.2
[00:00:19.156,000] <err> os: ***** BUS FAULT *****
[00:00:19.156,000] <err> os:   Stacking error
[00:00:19.156,000] <err> os:   Imprecise data bus error
[00:00:19.156,000] <err> os:   NXP MPU error, port 3
[00:00:19.156,000] <err> os:     Mode: Supervisor, Data Address: 0x20024198
[00:00:19.157,000] <err> os:     Type: Write, Master: 0, Regions: 0x8200
[00:00:19.157,000] <err> os: r0/a1:  0x4f7ad738  r1/a2: 0xa104d5cc  r2/a3:  0x012e4b3b
[00:00:19.157,000] <err> os: r3/a4:  0x49ca0d82 r12/ip: 0xf7306909 r14/lr:  0x1c4cdc1b
[00:00:19.157,000] <err> os:  xpsr:  0x562c9c00
[00:00:19.157,000] <err> os: Faulting instruction address (r15/pc): 0xeac9f934
[00:00:19.157,000] <err> os: >>> ZEPHYR FATAL ERROR 2: Stack overflow on CPU 0
[00:00:19.157,000] <err> os: Current thread: 0x20008c30 (sysworkq)
[00:00:19.278,000] <err> os: Halting system

Understanding of the issue:

net ping 10.42.0.2 leads to sending an echo request from work queue.
When the packet is about to be written to network, Zephyr realizes that the destination IP address is my own. So, let's process it immediately.
Handle echo request.
Send reply of echo request.
Again, when the packet is about to be written to network, Zephyr realizes that the destination IP address is my own. So, let's process it immediately.
Handle echo reply.

=>The stack grows bigger than the available space during this handling and consequently MPU detects the overwrite.

Patches

main: #102268

For more information

If you have any questions or comments about this advisory:

Open an issue in zephyr
Email us at Zephyr-vulnerabilities

embargo: 2026-04-15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

net: Stack Overflow with Ping (to own IP Address) via Shell

Package

Affected versions

Patched versions

Description

Patches

For more information

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Uncontrolled Recursion