* [PATCH] Fix CVE-2022-30767 (old CVE-2019-14196)
@ 2022-05-16 14:33 Andrea zi0Black Cappa
2022-05-16 15:01 ` Tom Rini
0 siblings, 1 reply; 2+ messages in thread
From: Andrea zi0Black Cappa @ 2022-05-16 14:33 UTC (permalink / raw)
To: u-boot; +Cc: trini, Andrea zi0Black Cappa
[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]
Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
---
net/nfs.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/nfs.c b/net/nfs.c
index 3c01cebd96..9152ab742e 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT;
static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */
static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
-static int filefh3_length; /* (variable) length of filefh when NFSv3 */
+static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */
static enum net_loop_state nfs_download_state;
static struct in_addr nfs_server_ip;
@@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
if (filefh3_length > NFS3_FHSIZE)
filefh3_length = NFS3_FHSIZE;
- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length
) > len)
- return -NFS_RPC_DROP;
memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
}
--
2.36.0.windows.1
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 509 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] Fix CVE-2022-30767 (old CVE-2019-14196)
2022-05-16 14:33 [PATCH] Fix CVE-2022-30767 (old CVE-2019-14196) Andrea zi0Black Cappa
@ 2022-05-16 15:01 ` Tom Rini
0 siblings, 0 replies; 2+ messages in thread
From: Tom Rini @ 2022-05-16 15:01 UTC (permalink / raw)
To: Andrea zi0Black Cappa; +Cc: u-boot
[-- Attachment #1: Type: text/plain, Size: 1342 bytes --]
On Mon, May 16, 2022 at 02:33:33PM +0000, Andrea zi0Black Cappa wrote:
> Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
> ---
> net/nfs.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/net/nfs.c b/net/nfs.c
> index 3c01cebd96..9152ab742e 100644
> --- a/net/nfs.c
> +++ b/net/nfs.c
> @@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT;
>
> static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */
> static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
> -static int filefh3_length; /* (variable) length of filefh when NFSv3 */
> +static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */
>
> static enum net_loop_state nfs_download_state;
> static struct in_addr nfs_server_ip;
> @@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
> filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
> if (filefh3_length > NFS3_FHSIZE)
> filefh3_length = NFS3_FHSIZE;
> - if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length
> ) > len)
> - return -NFS_RPC_DROP;
> memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
> }
Thanks. Can you please elaborate on the issue, and how this fixes it,
in the commit message?
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-05-16 15:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-16 14:33 [PATCH] Fix CVE-2022-30767 (old CVE-2019-14196) Andrea zi0Black Cappa
2022-05-16 15:01 ` Tom Rini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.