-- 1.8.5.6 -----Original Message----- From: Simon Goldschmidt [mailto:simon.k.r.goldschmidt@gmail.com] Sent: Thursday, August 22, 2019 3:30 AM To: liucheng (G) liucheng32@huawei.com Cc: U-Boot Mailing List u-boot@lists.denx.de Subject: Re: [U-Boot] [PATCH 1/5] CVE: net: fix unbounded memcpy of UDP packet On Wed, Aug 21, 2019 at 8:32 PM Cheng Liu liucheng32@huawei.com wrote: > > CVE: net: fix unbounded memcpy of UDP packet > > This patch adds a check to udp_len to fix unbounded memcpy for > CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199. > > Signed-off-by: Cheng Liu liucheng32@huawei.com Reviewed-by: Simon Goldschmidt simon.k.r.goldschmidt@gmail.com Although being annoyed by the lack of response from Fermin nearly a month ago, would it make sense to add: Reported-by: Fermín Serna fermin@semmle.com Regards, Simon > --- > net/net.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/net.c b/net/net.c > index 40511db..68f9693 100644 > --- a/net/net.c > +++ b/net/net.c > @@ -1253,6 +1253,9 @@ void net_process_received_packet(uchar *in_packet, int len) > return; > } > > + if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len)) > + return; > + > debug_cond(DEBUG_DEV_PKT, > "received UDP (to=%pI4, from=%pI4, len=%d)\n", > &dst_ip, &src_ip, len); > -- > 1.8.5.6 > > _______________________________________________ > U-Boot mailing list > U-Boot@lists.denx.de > https://lists.denx.de/listinfo/u-boot