]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
CVE: net: fix unbounded memcpy of UDP packet
authorliucheng (G) <liucheng32@huawei.com>
Thu, 29 Aug 2019 13:47:33 +0000 (13:47 +0000)
committerJoe Hershberger <joe.hershberger@ni.com>
Wed, 4 Sep 2019 16:37:19 +0000 (11:37 -0500)
This patch adds a check to udp_len to fix unbounded memcpy for
CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
net/net.c

index 74a8a36b5a756c55d6292a8d51108cd99b56866d..ded86e7456715ebfc39ce1f52cdd5fd954870963 100644 (file)
--- a/net/net.c
+++ b/net/net.c
@@ -1264,6 +1264,9 @@ void net_process_received_packet(uchar *in_packet, int len)
                        return;
                }
 
+               if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+                       return;
+
                debug_cond(DEBUG_DEV_PKT,
                           "received UDP (to=%pI4, from=%pI4, len=%d)\n",
                           &dst_ip, &src_ip, len);