| Message ID | 869863DB5440B44FB22173F42FC3F3CE01DAE717@dggemm513-mbx.china.huawei.com |
|---|---|
| State | Accepted |
| Commit | fe7288069d2e6659117049f7d27e261b550bb725 |
| Delegated to: | Joe Hershberger |
| Headers | show |
| Series | [U-Boot,v2,1/5] CVE: net: fix unbounded memcpy of UDP packet//RE: [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet | expand |
On Thu, Aug 29, 2019 at 8:48 AM liucheng (G) <liucheng32@huawei.com> wrote: > > Changes in v2: > - Add reviewed-by and reported-by tags for patch 1/5 > -------------------------------------------------------------------------------------------------------------- > CVE: net: fix unbounded memcpy of UDP packet > > This patch adds a check to udp_len to fix unbounded memcpy for > CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199. > > Signed-off-by: Cheng Liu <liucheng32@huawei.com> > Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com> > Reported-by: Fermín Serna <fermin@semmle.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Hi liucheng, https://patchwork.ozlabs.org/patch/1155274/ was applied to http://git.denx.de/?p=u-boot/u-boot-net.git Thanks! -Joe
diff --git a/net/net.c b/net/net.c index 40511db..68f9693 100644 --- a/net/net.c +++ b/net/net.c @@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len) return; } + if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len)) + return; + debug_cond(DEBUG_DEV_PKT, "received UDP (to=%pI4, from=%pI4, len=%d)\n", &dst_ip, &src_ip, len);