[U-Boot] Vulnerability in UBOOT ping_reveive()
jordy at simplyhacker.com
Mon Sep 30 17:01:48 UTC 2019
Hey Joe & U-BOOT-lists,
I think I found a security vulnerability in U-BOOT and I figured I'd report it to you, if this is the wrong channel please let me know.
So in https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 in the ping_receive() function the ethernet header gets copied for eth_hdr_size + len to tx_packet. (No boundary checks)
if CONFIG_CMD_PING is defined in receive_icmp() in https://github.com/u-boot/u-boot/blob/master/net/net.c#L1068 it will call ping_receive with the ethernet header, ip header and length. (Still no boundary checks)
Then on net_process_received_packet() it will call receive_icmp() https://github.com/u-boot/u-boot/blob/master/net/net.c#L1261 with a lenght from ntohs(ip->ip_len) https://github.com/u-boot/u-boot/blob/master/net/net.c#L1208 since an attacker could control this size it could trigger a straight forward memcpy overflow.
To fix it I'd probably just add some boundary checks in ping_receive() so that the amount written doesn't exceed the buffer boundaries.
More information about the U-Boot