mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH 0/2] Fix buffer overflows in nfs code
@ 2019-09-02 11:44 Sascha Hauer
  2019-09-02 11:44 ` [PATCH 1/2] net: nfs: Fix possible buffer overflow Sascha Hauer
  2019-09-02 11:44 ` [PATCH 2/2] fs: " Sascha Hauer
  0 siblings, 2 replies; 3+ messages in thread
From: Sascha Hauer @ 2019-09-02 11:44 UTC (permalink / raw)
  To: Barebox List

These patches fix possible buffer overflows in the nfs code. We take a
32bit value read from an incoming network packet as length argument to
memcpy without boundary checking. The patches add the necessary boundary
checks. The patches can be backported to any past version, let me know
if you are interested in any specific version.

Sascha Hauer (2):
  net: nfs: Fix possible buffer overflow
  fs: nfs: Fix possible buffer overflow

 fs/nfs.c  | 4 ++++
 net/nfs.c | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

-- 
2.23.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 1/2] net: nfs: Fix possible buffer overflow
  2019-09-02 11:44 [PATCH 0/2] Fix buffer overflows in nfs code Sascha Hauer
@ 2019-09-02 11:44 ` Sascha Hauer
  2019-09-02 11:44 ` [PATCH 2/2] fs: " Sascha Hauer
  1 sibling, 0 replies; 3+ messages in thread
From: Sascha Hauer @ 2019-09-02 11:44 UTC (permalink / raw)
  To: Barebox List

nfs_readlink_reply() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 net/nfs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/nfs.c b/net/nfs.c
index 0a3021994a..63573098d7 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -502,7 +502,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 {
 	uint32_t *data;
 	char *path;
-	int rlen;
+	unsigned int rlen;
 	int ret;
 
 	ret = rpc_check_reply(pkt, 1);
@@ -515,6 +515,9 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
 
 	rlen = ntohl(net_read_uint32(data)); /* new path length */
 
+	rlen = max_t(unsigned int, rlen,
+		     len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
 	data++;
 	path = (char *)data;
 
-- 
2.23.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 2/2] fs: nfs: Fix possible buffer overflow
  2019-09-02 11:44 [PATCH 0/2] Fix buffer overflows in nfs code Sascha Hauer
  2019-09-02 11:44 ` [PATCH 1/2] net: nfs: Fix possible buffer overflow Sascha Hauer
@ 2019-09-02 11:44 ` Sascha Hauer
  1 sibling, 0 replies; 3+ messages in thread
From: Sascha Hauer @ 2019-09-02 11:44 UTC (permalink / raw)
  To: Barebox List

nfs_readlink_req() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 fs/nfs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/nfs.c b/fs/nfs.c
index d606ccd1e9..0ad07aa3f2 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1023,6 +1023,10 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh,
 	p = nfs_read_post_op_attr(p, NULL);
 
 	len = ntoh32(net_read_uint32(p)); /* new path length */
+
+	len = max_t(unsigned int, len,
+		    nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
 	p++;
 
 	*target = xzalloc(len + 1);
-- 
2.23.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-09-02 11:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-02 11:44 [PATCH 0/2] Fix buffer overflows in nfs code Sascha Hauer
2019-09-02 11:44 ` [PATCH 1/2] net: nfs: Fix possible buffer overflow Sascha Hauer
2019-09-02 11:44 ` [PATCH 2/2] fs: " Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox