[PATCH 0/2] Fix buffer overflows in nfs code

[PATCH 0/2] Fix buffer overflows in nfs code

[Sascha Hauer]

These patches fix possible buffer overflows in the nfs code. We take a
32bit value read from an incoming network packet as length argument to
memcpy without boundary checking. The patches add the necessary boundary
checks. The patches can be backported to any past version, let me know
if you are interested in any specific version.

Sascha Hauer (2):
  net: nfs: Fix possible buffer overflow
  fs: nfs: Fix possible buffer overflow

 fs/nfs.c  | 4 ++++
 net/nfs.c | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

-- 
2.23.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH 1/2] net: nfs: Fix possible buffer overflow

[Sascha Hauer]

nfs_readlink_reply() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 net/nfs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/nfs.c b/net/nfs.c
index 0a3021994a..63573098d7 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -502,7 +502,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 {
 	uint32_t *data;
 	char *path;
-	int rlen;
+	unsigned int rlen;
 	int ret;
 
 	ret = rpc_check_reply(pkt, 1);
@@ -515,6 +515,9 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 
 	rlen = ntohl(net_read_uint32(data)); /* new path length */
 
+	rlen = max_t(unsigned int, rlen,
+		     len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
 	data++;
 	path = (char *)data;
 
-- 
2.23.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH 2/2] fs: nfs: Fix possible buffer overflow

[Sascha Hauer]

nfs_readlink_req() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 fs/nfs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/nfs.c b/fs/nfs.c
index d606ccd1e9..0ad07aa3f2 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1023,6 +1023,10 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh,
 	p = nfs_read_post_op_attr(p, NULL);
 
 	len = ntoh32(net_read_uint32(p)); /* new path length */
+
+	len = max_t(unsigned int, len,
+		    nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
 	p++;
 
 	*target = xzalloc(len + 1);
-- 
2.23.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox