CVE-2022-30767: unbounded memcpy with a failed length check

This patch tries to fix a CVE-2019-14196 fix In if-condition, where NFSV2_FLAG is checked, memcpy call is performed to transfer a reply data of NFS_FHSIZE size. Since the data field in struct rpc_t structure has the size of (1024 / 4) + 26 = 282, while NFS_FHSIZE is only 32, it won't lead to out-of-bounds write (considering the size of data array won't change in the future). So the memcpy call will copy exactly NFS_FHSIZE (32) bytes from (rpc_pkt.u.reply.data + 1). Signed-off-by: gerbert <gerbert@users.noreply.github.com>
author: Lokanathan, Raaj <raaj.lokanathan@intel.com> 2022-06-14 18:46:37 +0800
committer: Lokanathan, Raaj <raaj.lokanathan@intel.com> 2022-06-14 19:02:55 +0800
commit: 01cafccba484f3d0abd32b090b957b3152a9800a (patch)
tree: 0b1689f3be5f747f885ca3c2e65ff944c9ed8350
parent: e4dae12f43df579c1369346cd9a817858e84b525 (diff)
download: u-boot-socfpga-01cafccba484f3d0abd32b090b957b3152a9800a.tar.gz
1 files changed, 0 insertions, 2 deletions
diff --git a/net/nfs.c b/net/nfs.c
index 70d0e08bde..87b01878b6 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -571,8 +571,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
 	}
 
 	if (supported_nfs_versions & NFSV2_FLAG) {
-		if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len)
-			return -NFS_RPC_DROP;
 		memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
 	} else {  /* NFSV3_FLAG */
 		filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
author	Lokanathan, Raaj <raaj.lokanathan@intel.com>	2022-06-14 18:46:37 +0800
committer	Lokanathan, Raaj <raaj.lokanathan@intel.com>	2022-06-14 19:02:55 +0800
commit	01cafccba484f3d0abd32b090b957b3152a9800a (patch)
tree	0b1689f3be5f747f885ca3c2e65ff944c9ed8350
parent	e4dae12f43df579c1369346cd9a817858e84b525 (diff)
download	u-boot-socfpga-01cafccba484f3d0abd32b090b957b3152a9800a.tar.gz