Commit b85d130e authored by Fabio Estevam's avatar Fabio Estevam Committed by Tom Rini
Browse files

net: Check for the minimum IP fragmented datagram size

Nicolas Bidron and Nicolas Guigo reported the two bugs below:

"
----------BUG 1----------

In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) higher than `IP_HDR_SIZE`
and strictly lower than `IP_HDR_SIZE+8` will lead to a value for `len`
comprised between `0` and `7`. This will ultimately result in a
truncated division by `8` resulting value of `0` forcing the hole
metadata and fragment to point to the same location. The subsequent
memcopy will overwrite the hole metadata with the fragment data. Through
a second fragment, this can be exploited to write to an arbitrary offset
controlled by that overwritten hole metadata value.

This bug is only exploitable locally as it requires crafting two packets
the first of which would most likely be dropped through routing due to
its unexpectedly low Total Length. However, this bug can potentially be
exploited to root linux based embedded devic...
parent 2b641211
......@@ -391,6 +391,8 @@ struct ip_hdr {
#define IP_HDR_SIZE (sizeof(struct ip_hdr))
#define IP_MIN_FRAG_DATAGRAM_SIZE (IP_HDR_SIZE + 8)
/*
* Internet Protocol (IP) + UDP header.
*/
......
......@@ -907,6 +907,9 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE)
return NULL;
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment