[U-Boot] [PATCH v2 1/5] CVE: net: fix unbounded memcpy of UDP packet//RE: [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet

[U-Boot] [PATCH v2 1/5] CVE: net: fix unbounded memcpy of UDP packet//RE: [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet

[liucheng]

Changes in v2:
- Add reviewed-by and reported-by tags for patch 1/5
--------------------------------------------------------------------------------------------------------------
CVE: net: fix unbounded memcpy of UDP packet

This patch adds a check to udp_len to fix unbounded memcpy for
CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reported-by: Fermín Serna <fermin@semmle.com>
---
 net/net.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/net.c b/net/net.c
index 40511db..68f9693 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len)
 			return;
 		}
 
+		if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+			return;
+
 		debug_cond(DEBUG_DEV_PKT,
 			   "received UDP (to=%pI4, from=%pI4, len=%d)\n",
 			   &dst_ip, &src_ip, len);
-- 
1.8.5.6

-----Original Message-----
From: Simon Goldschmidt [mailto:simon.k.r.goldschmidt at gmail.com] 
Sent: Thursday, August 22, 2019 3:30 AM
To: liucheng (G) <liucheng32@huawei.com>
Cc: U-Boot Mailing List <u-boot@lists.denx.de>
Subject: Re: [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet

On Wed, Aug 21, 2019 at 8:32 PM Cheng Liu <liucheng32@huawei.com> wrote:
>
> CVE: net: fix unbounded memcpy of UDP packet
>
> This patch adds a check to udp_len to fix unbounded memcpy for
> CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
>
> Signed-off-by: Cheng Liu <liucheng32@huawei.com>

Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>

Although being annoyed by the lack of response from Fermin nearly a
month ago, would it make sense to add:

Reported-by: Fermín Serna <fermin@semmle.com>

Regards,
Simon

> ---
>  net/net.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/net.c b/net/net.c
> index 40511db..68f9693 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len)
>                         return;
>                 }
>
> +               if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
> +                       return;
> +
>                 debug_cond(DEBUG_DEV_PKT,
>                            "received UDP (to=%pI4, from=%pI4, len=%d)\n",
>                            &dst_ip, &src_ip, len);
> --
> 1.8.5.6
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot

[U-Boot] [PATCH v2 1/5] CVE: net: fix unbounded memcpy of UDP packet//RE: [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet

[Joe Hershberger]

On Thu, Aug 29, 2019 at 8:48 AM liucheng (G) <liucheng32@huawei.com> wrote:
>
> Changes in v2:
> - Add reviewed-by and reported-by tags for patch 1/5
> --------------------------------------------------------------------------------------------------------------
> CVE: net: fix unbounded memcpy of UDP packet
>
> This patch adds a check to udp_len to fix unbounded memcpy for
> CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
>
> Signed-off-by: Cheng Liu <liucheng32@huawei.com>
> Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
> Reported-by: Fermín Serna <fermin@semmle.com>

Acked-by: Joe Hershberger <joe.hershberger@ni.com>

[U-Boot] CVE: net: fix unbounded memcpy of UDP packet

[Joe Hershberger]

Hi liucheng,

https://patchwork.ozlabs.org/patch/1155274/ was applied to http://git.denx.de/?p=u-boot/u-boot-net.git

Thanks!
-Joe