diff options
author | Sascha Hauer <s.hauer@pengutronix.de> | 2020-06-03 09:50:40 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2020-06-03 09:50:44 +0200 |
commit | c0f0cbd1759a6ca6cbda4001dff5764f6633c825 (patch) | |
tree | 6d734abb2000ac4c18984632d0947a501d048983 /net/nfs.c | |
parent | 1b57c7381c781e3cf39a10a2a01ce8e1fe5aca66 (diff) | |
download | barebox-c0f0cbd1759a6ca6cbda4001dff5764f6633c825.tar.gz |
nfs: Fix out of bounds read
nfs_read_reply() interprets the fields of an incoming packet directly
as a field length without checking the boundaries. Clamp the maximum
length to the packet length to avoid reading out of bounds.
Reported-by: Jai Verma <jai2.verma@outlook.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'net/nfs.c')
-rw-r--r-- | net/nfs.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -533,7 +533,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len) static int nfs_read_reply(unsigned char *pkt, unsigned len) { - int rlen; + unsigned int rlen; uint32_t *data; int ret; @@ -552,6 +552,8 @@ static int nfs_read_reply(unsigned char *pkt, unsigned len) rlen = ntohl(net_read_uint32(data + 18)); + rlen = max_t(unsigned int, rlen, len - 19); + ret = write(net_store_fd, (char *)(data + 19), rlen); if (ret < 0) { perror("write"); |