summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorSascha Hauer <s.hauer@pengutronix.de>2020-06-03 09:50:40 +0200
committerSascha Hauer <s.hauer@pengutronix.de>2020-06-03 09:50:44 +0200
commitc0f0cbd1759a6ca6cbda4001dff5764f6633c825 (patch)
tree6d734abb2000ac4c18984632d0947a501d048983 /net
parent1b57c7381c781e3cf39a10a2a01ce8e1fe5aca66 (diff)
downloadbarebox-c0f0cbd1759a6ca6cbda4001dff5764f6633c825.tar.gz
barebox-c0f0cbd1759a6ca6cbda4001dff5764f6633c825.tar.xz
nfs: Fix out of bounds read
nfs_read_reply() interprets the fields of an incoming packet directly as a field length without checking the boundaries. Clamp the maximum length to the packet length to avoid reading out of bounds. Reported-by: Jai Verma <jai2.verma@outlook.com> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'net')
-rw-r--r--net/nfs.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/nfs.c b/net/nfs.c
index 63573098d7..591417e0de 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -533,7 +533,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
static int nfs_read_reply(unsigned char *pkt, unsigned len)
{
- int rlen;
+ unsigned int rlen;
uint32_t *data;
int ret;
@@ -552,6 +552,8 @@ static int nfs_read_reply(unsigned char *pkt, unsigned len)
rlen = ntohl(net_read_uint32(data + 18));
+ rlen = max_t(unsigned int, rlen, len - 19);
+
ret = write(net_store_fd, (char *)(data + 19), rlen);
if (ret < 0) {
perror("write");