diff options
author | Andrea zi0Black Cappa <zi0Black@protonmail.com> | 2022-05-18 16:30:08 +0000 |
---|---|---|
committer | Lokanathan, Raaj <raaj.lokanathan@intel.com> | 2022-11-02 17:43:02 +0800 |
commit | 0c072494022ed9fa3e388e1a05af313bc0fa2544 (patch) | |
tree | bcf67cbdebbf3ef7ff831875877c2b77917a9996 | |
parent | 2544e805ea2b6e87a9261d51bb4fce10d78d1c2f (diff) | |
download | u-boot-socfpga-0c072494022ed9fa3e388e1a05af313bc0fa2544.tar.gz |
net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
This patch mitigates the vulnerability identified via CVE-2019-14196.
The previous patch was bypassed/ineffective, and now the vulnerability
is identified via CVE-2022-30767. The patch removes the sanity check
introduced to mitigate CVE-2019-14196 since it's ineffective.
filefh3_length is changed to unsigned type integer, preventing negative
numbers from being used during comparison with positive values during
size sanity checks.
Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
-rw-r--r-- | net/nfs.c | 4 |
1 files changed, 1 insertions, 3 deletions
@@ -57,7 +57,7 @@ static ulong nfs_timeout = NFS_TIMEOUT; static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */ static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */ -static int filefh3_length; /* (variable) length of filefh when NFSv3 */ +static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */ static enum net_loop_state nfs_download_state; static struct in_addr nfs_server_ip; @@ -576,8 +576,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); if (filefh3_length > NFS3_FHSIZE) filefh3_length = NFS3_FHSIZE; - if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) - return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); } |