[PATCH 0/6] broken CVE fix (b85d130ea0ca)

Rasmus Villemoes rasmus.villemoes at prevas.dk
Fri Oct 14 19:43:36 CEST 2022


tl;dr: b85d130ea0ca didn't fix the CVE(s), but did break tftp of
certain file sizes - which is somewhat lucky, since that's how I
noticed in the first place.

What I at first hoped would be a one-liner trivial fix turned out to
be much more complicated and led me down a rabbit hole of related
fixes. And this isn't even complete, I'm afraid. Details in 3/6.

1 and 4 are independent of all the others. 5 is a trivial preparation
for 6; otherwise those are also independent of the others. Finally, 2
and 3 are my attempts at actually fixing CVE-2022-{30790,30552}, with
2 essentially lifting the "ensure the payload has non-negative size"
to the first place we can check that instead of relying on that check
to happen in several places.


Rasmus Villemoes (6):
  net: improve check for no IP options
  net: compare received length to sizeof(ip_hdr), not sizeof(ip_udp_hdr)
  net: (actually/better) deal with CVE-2022-{30790,30552}
  net: fix ip_len in reassembled IP datagram
  net: tftp: use IS_ENABLED(CONFIG_NET_TFTP_VARS) instead of #if
  net: tftp: sanitize tftp block size, especially for TX

 net/net.c  |  24 +++++++++----
 net/tftp.c | 102 ++++++++++++++++++++++++++++++++++++++---------------
 2 files changed, 92 insertions(+), 34 deletions(-)

-- 
2.37.2



More information about the U-Boot mailing list