44 lines
1.7 KiB
Diff
44 lines
1.7 KiB
Diff
From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Mon Sep 17 00:00:00 2001
|
|
From: Andrea zi0Black Cappa <zi0Black@protonmail.com>
|
|
Date: Wed, 18 May 2022 16:30:08 +0000
|
|
Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
|
|
|
|
This patch mitigates the vulnerability identified via CVE-2019-14196.
|
|
|
|
The previous patch was bypassed/ineffective, and now the vulnerability
|
|
is identified via CVE-2022-30767. The patch removes the sanity check
|
|
introduced to mitigate CVE-2019-14196 since it's ineffective.
|
|
filefh3_length is changed to unsigned type integer, preventing negative
|
|
numbers from being used during comparison with positive values during
|
|
size sanity checks.
|
|
|
|
Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
|
|
---
|
|
net/nfs.c | 4 +---
|
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
|
diff --git a/net/nfs.c b/net/nfs.c
|
|
index 3c01cebd96..9152ab742e 100644
|
|
--- a/net/nfs.c
|
|
+++ b/net/nfs.c
|
|
@@ -52,7 +52,7 @@ static const ulong nfs_timeout = CONFIG_NFS_TIMEOUT;
|
|
|
|
static char dirfh[NFS_FHSIZE]; /* NFSv2 / NFSv3 file handle of directory */
|
|
static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
|
|
-static int filefh3_length; /* (variable) length of filefh when NFSv3 */
|
|
+static unsigned int filefh3_length; /* (variable) length of filefh when NFSv3 */
|
|
|
|
static enum net_loop_state nfs_download_state;
|
|
static struct in_addr nfs_server_ip;
|
|
@@ -573,8 +573,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
|
|
filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
|
|
if (filefh3_length > NFS3_FHSIZE)
|
|
filefh3_length = NFS3_FHSIZE;
|
|
- if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
|
|
- return -NFS_RPC_DROP;
|
|
memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
|
|
}
|
|
|
|
--
|
|
GitLab
|