diff options
Diffstat (limited to 'meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch')
-rw-r--r-- | meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch new file mode 100644 index 0000000000..04a09e46df --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 261658ddaf24bb35edd477cf09ec055569fd9894 Mon Sep 17 00:00:00 2001 | ||
2 | From: "liucheng (G)" <liucheng32@huawei.com> | ||
3 | Date: Thu, 29 Aug 2019 13:47:40 +0000 | ||
4 | Subject: [PATCH 6/9] CVE: nfs: fix stack-based buffer overflow in some | ||
5 | nfs_handler reply helper functions | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197, | ||
11 | CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204. | ||
12 | |||
13 | Signed-off-by: Cheng Liu <liucheng32@huawei.com> | ||
14 | Reported-by: FermÃn Serna <fermin@semmle.com> | ||
15 | Acked-by: Joe Hershberger <joe.hershberger@ni.com> | ||
16 | |||
17 | Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit; | ||
18 | h=741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21] | ||
19 | |||
20 | CVE: CVE-2019-14197, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, | ||
21 | CVE-2019-14203 and CVE-2019-14204 | ||
22 | |||
23 | Signed-off-by: Meng Li <Meng.Li@windriver.com> | ||
24 | --- | ||
25 | net/nfs.c | 3 +++ | ||
26 | 1 file changed, 3 insertions(+) | ||
27 | |||
28 | diff --git a/net/nfs.c b/net/nfs.c | ||
29 | index d6a7f8e827..b7cf3b3a18 100644 | ||
30 | --- a/net/nfs.c | ||
31 | +++ b/net/nfs.c | ||
32 | @@ -732,6 +732,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip, | ||
33 | |||
34 | debug("%s\n", __func__); | ||
35 | |||
36 | + if (len > sizeof(struct rpc_t)) | ||
37 | + return; | ||
38 | + | ||
39 | if (dest != nfs_our_port) | ||
40 | return; | ||
41 | |||
42 | -- | ||
43 | 2.17.1 | ||
44 | |||