[PATCH 1/1 v1] CVE-2022-30767: unbounded memcpy with a failed length check

gerbert gerbert at mu-ori.me
Sat Jun 4 20:26:53 CEST 2022


This patch tries to fix a CVE-2019-14196 fix

In if-condition, where NFSV2_FLAG is checked, memcpy call is performed
to transfer a reply data of NFS_FHSIZE size. Since the data field in
struct rpc_t structure has the size of (1024 / 4) + 26 = 282, while
NFS_FHSIZE is only 32, it won't lead to out-of-bounds write (considering
the size of data array won't change in the future). So the memcpy call
will copy exactly NFS_FHSIZE (32) bytes from (rpc_pkt.u.reply.data + 1).

Signed-off-by: gerbert <gerbert at users.noreply.github.com>
---
  net/nfs.c | 2 --
  1 file changed, 2 deletions(-)

diff --git a/net/nfs.c b/net/nfs.c
index 9152ab742e..98943dde5e 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -566,8 +566,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned 
len)
  	}

  	if (supported_nfs_versions & NFSV2_FLAG) {
-		if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + 
NFS_FHSIZE) > len)
-			return -NFS_RPC_DROP;
  		memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
  	} else {  /* NFSV3_FLAG */
  		filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
-- 
2.32.0


More information about the U-Boot mailing list