Message ID | 20220516143345.1892-1-zi0Black@protonmail.com |
---|---|
State | Changes Requested |
Delegated to: | Tom Rini |
Headers | show |
Series | Fix CVE-2022-30767 (old CVE-2019-14196) | expand |
On Mon, May 16, 2022 at 02:33:33PM +0000, Andrea zi0Black Cappa wrote: > Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com> > --- > net/nfs.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/net/nfs.c b/net/nfs.c > index 3c01cebd96..9152ab742e 100644 > --- a/net/nfs.c > +++ b/net/nfs.c > @@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT; > > static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ > static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ > -static int filefh3_length; /* (variable) length of filefh when NFSv3 */ > +static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ > > static enum net_loop_state nfs_download_state; > static struct in_addr nfs_server_ip; > @@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) > filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); > if (filefh3_length > NFS3_FHSIZE) > filefh3_length = NFS3_FHSIZE; > - if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length > ) > len) > - return -NFS_RPC_DROP; > memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); > } Thanks. Can you please elaborate on the issue, and how this fixes it, in the commit message?
diff --git a/net/nfs.c b/net/nfs.c index 3c01cebd96..9152ab742e 100644 --- a/net/nfs.c +++ b/net/nfs.c @@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT; static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ -static int filefh3_length; /* (variable) length of filefh when NFSv3 */ +static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ static enum net_loop_state nfs_download_state; static struct in_addr nfs_server_ip; @@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); if (filefh3_length > NFS3_FHSIZE) filefh3_length = NFS3_FHSIZE; - if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length ) > len) - return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); }
Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com> --- net/nfs.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) -- 2.36.0.windows.1