[U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet
Simon Goldschmidt
simon.k.r.goldschmidt at gmail.com
Wed Aug 21 19:29:31 UTC 2019
On Wed, Aug 21, 2019 at 8:32 PM Cheng Liu <liucheng32 at huawei.com> wrote:
>
> CVE: net: fix unbounded memcpy of UDP packet
>
> This patch adds a check to udp_len to fix unbounded memcpy for
> CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
>
> Signed-off-by: Cheng Liu <liucheng32 at huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>
Although being annoyed by the lack of response from Fermin nearly a
month ago, would it make sense to add:
Reported-by: FermÃn Serna <fermin at semmle.com>
Regards,
Simon
> ---
> net/net.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/net.c b/net/net.c
> index 40511db..68f9693 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len)
> return;
> }
>
> + if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
> + return;
> +
> debug_cond(DEBUG_DEV_PKT,
> "received UDP (to=%pI4, from=%pI4, len=%d)\n",
> &dst_ip, &src_ip, len);
> --
> 1.8.5.6
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
More information about the U-Boot
mailing list