Hi, Jordy <jo...@simplyhacker.com> schrieb am Mo., 30. Sep. 2019, 19:02:
> Hey Joe & U-BOOT-lists, > > > I think I found a security vulnerability in U-BOOT and I figured I'd > report it to you, if this is the wrong channel please let me know. > > > So in https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 > https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 in the > ping_receive() function the ethernet header gets copied for eth_hdr_size + > len to tx_packet. (No boundary checks) > > if CONFIG_CMD_PING is defined in receive_icmp() in > https://github.com/u-boot/u-boot/blob/master/net/net.c#L1068 it will call > ping_receive with the ethernet header, ip header and length. (Still no > boundary checks) > Isn't the length checked at line 1204 right when IP processing starts? Regards, Simon > > Then on net_process_received_packet() it will call receive_icmp() > https://github.com/u-boot/u-boot/blob/master/net/net.c#L1261 with a > lenght from ntohs(ip->ip_len) > https://github.com/u-boot/u-boot/blob/master/net/net.c#L1208 since an > attacker could control this size it could trigger a straight forward memcpy > overflow. > > > To fix it I'd probably just add some boundary checks in ping_receive() so > that the amount written doesn't exceed the buffer boundaries. > > > Kind Regards, > > Jordy Zomer > _______________________________________________ > U-Boot mailing list > U-Boot@lists.denx.de > https://lists.denx.de/listinfo/u-boot > _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot