On Thu, Jun 02, 2022 at 09:18:42PM +0300, gerbert wrote: > This patch tries to fix a CVE-2019-14196 fix > > In if-condition, where NFSV2_FLAG is checked, memcpy call is performed > to transfer a reply data of NFS_FHSIZE size. Since the data field in > struct rpc_t structure has the size of (1024 / 4) + 26 = 282, while > NFS_FHSIZE is only 32, it won't lead to out-of-bounds write (considering > the size of data array won't change in the future). > > What concerns if-condition for NFSV3_FLAG, since filefh3_length is > signed integer, it may carry negative values which may lead to memcpy > failure, so in this case we need to introduce not only boundary check > (filefh3_length > NFS3_FHSIZE), which exists, but also make sure that > filefh3_length is not negative. > > Signed-off-by: gerbert <gerb...@users.noreply.github.com>
This has been addressed as: https://patchwork.ozlabs.org/project/uboot/patch/20220518163103.372-1-zi0bl...@protonmail.com/ and more clearly: https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 recently, thanks. -- Tom
signature.asc
Description: PGP signature