projects
/
platform
/
kernel
/
u-boot.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
741a8a0
)
CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy with a failed length check...
author
liucheng (G)
<liucheng32@huawei.com>
Thu, 29 Aug 2019 13:47:48 +0000
(13:47 +0000)
committer
Joe Hershberger
<joe.hershberger@ni.com>
Wed, 4 Sep 2019 16:37:19 +0000
(11:37 -0500)
This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reported-by: FermÃn Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
net/nfs.c
patch
|
blob
|
history
diff --git
a/net/nfs.c
b/net/nfs.c
index b7cf3b3a188cc7b051e26a1d9ec8869ac3da2682..11941fad1acfc0381e26fd119eb311afef949b16 100644
(file)
--- a/
net/nfs.c
+++ b/
net/nfs.c
@@
-701,6
+701,9
@@
static int nfs_read_reply(uchar *pkt, unsigned len)
&(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]);
}
+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
+ return -9999;
+
if (store_block(data_ptr, nfs_offset, rlen))
return -9999;