tl;dr: b85d130ea0ca didn't fix the CVE(s), but did break tftp of
certain file sizes - which is somewhat lucky, since that's how I
noticed in the first place.
What I at first hoped would be a one-liner trivial fix turned out to
be much more complicated and led me down a rabbit hole of related
fixes. And this isn't even complete, I'm afraid. Details in 3/6.
1 and 4 are independent of all the others. 5 is a trivial preparation
for 6; otherwise those are also independent of the others. Finally, 2
and 3 are my attempts at actually fixing CVE-2022-{30790,30552}, with
2 essentially lifting the "ensure the payload has non-negative size"
to the first place we can check that instead of relying on that check
to happen in several places.
Rasmus Villemoes (6):
net: improve check for no IP options
net: compare received length to sizeof(ip_hdr), not sizeof(ip_udp_hdr)
net: (actually/better) deal with CVE-2022-{30790,30552}
net: fix ip_len in reassembled IP datagram
net: tftp: use IS_ENABLED(CONFIG_NET_TFTP_VARS) instead of #if
net: tftp: sanitize tftp block size, especially for TX
net/net.c | 24 +++++++++----
net/tftp.c | 102 ++++++++++++++++++++++++++++++++++++++---------------
2 files changed, 92 insertions(+), 34 deletions(-)
--
2.37.2
