[U-Boot] [PATCH v2 1/5] CVE: net: fix unbounded memcpy of UDP packet//RE: [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet
liucheng (G)
liucheng32 at huawei.com
Thu Aug 29 13:47:33 UTC 2019
Changes in v2:
- Add reviewed-by and reported-by tags for patch 1/5
--------------------------------------------------------------------------------------------------------------
CVE: net: fix unbounded memcpy of UDP packet
This patch adds a check to udp_len to fix unbounded memcpy for
CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
Signed-off-by: Cheng Liu <liucheng32 at huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>
Reported-by: Fermín Serna <fermin at semmle.com>
---
net/net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/net.c b/net/net.c
index 40511db..68f9693 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len)
return;
}
+ if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+ return;
+
debug_cond(DEBUG_DEV_PKT,
"received UDP (to=%pI4, from=%pI4, len=%d)\n",
&dst_ip, &src_ip, len);
--
1.8.5.6
-----Original Message-----
From: Simon Goldschmidt [mailto:simon.k.r.goldschmidt at gmail.com]
Sent: Thursday, August 22, 2019 3:30 AM
To: liucheng (G) <liucheng32 at huawei.com>
Cc: U-Boot Mailing List <u-boot at lists.denx.de>
Subject: Re: [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet
On Wed, Aug 21, 2019 at 8:32 PM Cheng Liu <liucheng32 at huawei.com> wrote:
>
> CVE: net: fix unbounded memcpy of UDP packet
>
> This patch adds a check to udp_len to fix unbounded memcpy for
> CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
>
> Signed-off-by: Cheng Liu <liucheng32 at huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>
Although being annoyed by the lack of response from Fermin nearly a
month ago, would it make sense to add:
Reported-by: Fermín Serna <fermin at semmle.com>
Regards,
Simon
> ---
> net/net.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/net.c b/net/net.c
> index 40511db..68f9693 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len)
> return;
> }
>
> + if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
> + return;
> +
> debug_cond(DEBUG_DEV_PKT,
> "received UDP (to=%pI4, from=%pI4, len=%d)\n",
> &dst_ip, &src_ip, len);
> --
> 1.8.5.6
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
More information about the U-Boot
mailing list