aboutsummaryrefslogtreecommitdiff
path: root/net/nfs.c
diff options
context:
space:
mode:
authorAndrea zi0Black Cappa2022-05-18 16:30:08 +0000
committerTom Rini2022-05-26 10:32:06 -0400
commitbdbf7a05e26f3c5fd437c99e2755ffde186ddc80 (patch)
treeed0772cd40b66157b9c6a007d995b707f3941ef1 /net/nfs.c
parent9e892ac27670e094ce4bade5a13b4d0e3a7c4da3 (diff)
net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
This patch mitigates the vulnerability identified via CVE-2019-14196. The previous patch was bypassed/ineffective, and now the vulnerability is identified via CVE-2022-30767. The patch removes the sanity check introduced to mitigate CVE-2019-14196 since it's ineffective. filefh3_length is changed to unsigned type integer, preventing negative numbers from being used during comparison with positive values during size sanity checks. Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
Diffstat (limited to 'net/nfs.c')
-rw-r--r--net/nfs.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/net/nfs.c b/net/nfs.c
index 3c01cebd96f..9152ab742ef 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT;
static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */
static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
-static int filefh3_length; /* (variable) length of filefh when NFSv3 */
+static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */
static enum net_loop_state nfs_download_state;
static struct in_addr nfs_server_ip;
@@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
if (filefh3_length > NFS3_FHSIZE)
filefh3_length = NFS3_FHSIZE;
- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
- return -NFS_RPC_DROP;
memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
}