]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
authorAndrea zi0Black Cappa <zi0Black@protonmail.com>
Wed, 18 May 2022 16:30:08 +0000 (16:30 +0000)
committerTom Rini <trini@konsulko.com>
Thu, 26 May 2022 14:32:06 +0000 (10:32 -0400)
This patch mitigates the vulnerability identified via CVE-2019-14196.

The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.

Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
net/nfs.c

index 3c01cebd96f8dedbfc0c0d2c0676f0caa296c574..9152ab742ef1a327254547d8ae125588b736b105 100644 (file)
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT;
 
 static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */
 static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
-static int filefh3_length;     /* (variable) length of filefh when NFSv3 */
+static unsigned int filefh3_length;    /* (variable) length of filefh when NFSv3 */
 
 static enum net_loop_state nfs_download_state;
 static struct in_addr nfs_server_ip;
@@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
                filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
                if (filefh3_length > NFS3_FHSIZE)
                        filefh3_length  = NFS3_FHSIZE;
-               if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
-                       return -NFS_RPC_DROP;
                memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
        }