Hi,
Jordy jordy@simplyhacker.com schrieb am Mo., 30. Sep. 2019, 19:02:
Hey Joe & U-BOOT-lists,
I think I found a security vulnerability in U-BOOT and I figured I'd report it to you, if this is the wrong channel please let me know.
So in https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 in the ping_receive() function the ethernet header gets copied for eth_hdr_size + len to tx_packet. (No boundary checks)
if CONFIG_CMD_PING is defined in receive_icmp() in https://github.com/u-boot/u-boot/blob/master/net/net.c#L1068 it will call ping_receive with the ethernet header, ip header and length. (Still no boundary checks)
Isn't the length checked at line 1204 right when IP processing starts?
Regards, Simon
Then on net_process_received_packet() it will call receive_icmp() https://github.com/u-boot/u-boot/blob/master/net/net.c#L1261 with a lenght from ntohs(ip->ip_len) https://github.com/u-boot/u-boot/blob/master/net/net.c#L1208 since an attacker could control this size it could trigger a straight forward memcpy overflow.
To fix it I'd probably just add some boundary checks in ping_receive() so that the amount written doesn't exceed the buffer boundaries.
Kind Regards,
Jordy Zomer _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot