[U-Boot] Vulnerability in UBOOT ping_reveive()

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Mon Sep 30 17:53:09 UTC 2019


Hi,

Jordy <jordy at simplyhacker.com> schrieb am Mo., 30. Sep. 2019, 19:02:

> Hey Joe & U-BOOT-lists,
>
>
> I think I found a security vulnerability in U-BOOT and I figured I'd
> report it to you, if this is the wrong channel please let me know.
>
>
> So in https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108
> https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 in the
> ping_receive() function the ethernet header gets copied for eth_hdr_size +
> len to tx_packet. (No boundary checks)
>
> if CONFIG_CMD_PING is defined in receive_icmp() in
> https://github.com/u-boot/u-boot/blob/master/net/net.c#L1068 it will call
> ping_receive with the ethernet header, ip header and length. (Still no
> boundary checks)
>

Isn't the length checked at line 1204 right when IP processing starts?

Regards,
Simon


>
> Then on net_process_received_packet() it will call receive_icmp()
> https://github.com/u-boot/u-boot/blob/master/net/net.c#L1261 with a
> lenght from ntohs(ip->ip_len)
> https://github.com/u-boot/u-boot/blob/master/net/net.c#L1208 since an
> attacker could control this size it could trigger a straight forward memcpy
> overflow.
>
>
> To fix it I'd probably just add some boundary checks in ping_receive() so
> that the amount written doesn't exceed the buffer boundaries.
>
>
> Kind Regards,
>
> Jordy Zomer
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
>


More information about the U-Boot mailing list