* [U-Boot] [PATCH v2 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply //RE: [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
@ 2019-08-29 13:47 liucheng
2019-09-03 18:31 ` Joe Hershberger
2019-09-04 16:41 ` [U-Boot] " Joe Hershberger
0 siblings, 2 replies; 4+ messages in thread
From: liucheng @ 2019-08-29 13:47 UTC (permalink / raw)
To: u-boot
Changes in v2:
- Add reported-by tag for patch 4/5
--------------------------------------------------------------------------------------------------------------
CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: FermÃn Serna <fermin@semmle.com>
---
net/nfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/nfs.c b/net/nfs.c
index 11941fa..915acd9 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
/* new path length */
rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+ return -NFS_RPC_DROP;
+
if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
int pathlen;
--
1.8.5.6
-----Original Message-----
From: liucheng (G)
Sent: Wednesday, August 21, 2019 10:48 PM
To: u-boot at lists.denx.de
Cc: liucheng (G) <liucheng32@huawei.com>
Subject: [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
---
net/nfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/nfs.c b/net/nfs.c
index 11941fa..915acd9 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
/* new path length */
rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+ return -NFS_RPC_DROP;
+
if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
int pathlen;
--
1.8.5.6
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [U-Boot] [PATCH v2 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply //RE: [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
2019-08-29 13:47 [U-Boot] [PATCH v2 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply //RE: [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply liucheng
@ 2019-09-03 18:31 ` Joe Hershberger
2019-09-04 16:41 ` [U-Boot] " Joe Hershberger
1 sibling, 0 replies; 4+ messages in thread
From: Joe Hershberger @ 2019-09-03 18:31 UTC (permalink / raw)
To: u-boot
On Thu, Aug 29, 2019 at 8:50 AM liucheng (G) <liucheng32@huawei.com> wrote:
>
> Changes in v2:
> - Add reported-by tag for patch 4/5
> --------------------------------------------------------------------------------------------------------------
> CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
>
> This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
>
> Signed-off-by: Cheng Liu <liucheng32@huawei.com>
> Reported-by: FermÃn Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
2019-08-29 13:47 [U-Boot] [PATCH v2 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply //RE: [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply liucheng
2019-09-03 18:31 ` Joe Hershberger
@ 2019-09-04 16:41 ` Joe Hershberger
1 sibling, 0 replies; 4+ messages in thread
From: Joe Hershberger @ 2019-09-04 16:41 UTC (permalink / raw)
To: u-boot
Hi liucheng,
https://patchwork.ozlabs.org/patch/1155278/ was applied to http://git.denx.de/?p=u-boot/u-boot-net.git
Thanks!
-Joe
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot] [PATCH v2 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply //RE: [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
@ 2019-08-22 3:28 liucheng
0 siblings, 0 replies; 4+ messages in thread
From: liucheng @ 2019-08-22 3:28 UTC (permalink / raw)
To: u-boot
Changes in v2:
- Add reported-by tag for patch 4/5
--------------------------------------------------------------------------------------------------------------
CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: FermÃn Serna <fermin@semmle.com>
---
net/nfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/nfs.c b/net/nfs.c
index 11941fa..915acd9 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
/* new path length */
rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+ return -NFS_RPC_DROP;
+
if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
int pathlen;
--
1.8.5.6
-----Original Message-----
From: liucheng (G)
Sent: Wednesday, August 21, 2019 10:48 PM
To: u-boot at lists.denx.de
Cc: liucheng (G) <liucheng32@huawei.com>
Subject: [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply
This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
---
net/nfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/nfs.c b/net/nfs.c
index 11941fa..915acd9 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
/* new path length */
rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+ return -NFS_RPC_DROP;
+
if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
int pathlen;
--
1.8.5.6
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-04 16:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-29 13:47 [U-Boot] [PATCH v2 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply //RE: [PATCH 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply liucheng
2019-09-03 18:31 ` Joe Hershberger
2019-09-04 16:41 ` [U-Boot] " Joe Hershberger
-- strict thread matches above, loose matches on Subject: below --
2019-08-22 3:28 [U-Boot] [PATCH v2 4/5] CVE-2019-14195: nfs: fix unbounded memcpy with unvalidated length at nfs_readlink_reply //RE: [PATCH 4/5] " liucheng
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.