Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / c580b29c95ab0ab8a8060db324f500a04d494b77^! / . / net / net.c
commitc580b29c95ab0ab8a8060db324f500a04d494b77[log] [tgz]
authorliucheng (G) <liucheng32@huawei.com>Thu Aug 29 13:47:33 2019 +0000
committerJoe Hershberger <joe.hershberger@ni.com>Wed Sep 04 11:37:19 2019 -0500
treec68947cedb27841b166023d3a68377056f1a4db2
parenteff9c9081da44a62547e3ceac750abc1ae96e263 [diff] [blame]
CVE: net: fix unbounded memcpy of UDP packet

This patch adds a check to udp_len to fix unbounded memcpy for
CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>

diff --git a/net/net.c b/net/net.c
index 74a8a36..ded86e7 100644
--- a/net/net.c
+++ b/net/net.c

@@ -1264,6 +1264,9 @@
 			return;
 		}
 
+		if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+			return;
+
 		debug_cond(DEBUG_DEV_PKT,
 			   "received UDP (to=%pI4, from=%pI4, len=%d)\n",
 			   &dst_ip, &src_ip, len);