57 lines
1.7 KiB
Diff
57 lines
1.7 KiB
Diff
From 1f7968efff15eb737eb086a298cc1f0f0e308411 Mon Sep 17 00:00:00 2001
|
|
From: Chris Leech <cleech@redhat.com>
|
|
Date: Tue, 10 Nov 2020 13:55:18 -0800
|
|
Subject: [PATCH 2/4] check for u8 overflow when processing TCP options
|
|
|
|
CVE-2020-13988
|
|
---
|
|
iscsiuio/src/uip/uip.c | 20 +++++++++++++++-----
|
|
1 file changed, 15 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
|
|
index cfff43c..522fd9d 100644
|
|
--- a/iscsiuio/src/uip/uip.c
|
|
+++ b/iscsiuio/src/uip/uip.c
|
|
@@ -1795,16 +1795,18 @@ found_listen:
|
|
} else {
|
|
/* All other options have a length field, so
|
|
that we easily can skip past them. */
|
|
- if (ustack->
|
|
- uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 +
|
|
- c] == 0) {
|
|
+ if (ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c] == 0) {
|
|
/* If the length field is zero, the
|
|
options are malformed
|
|
and we don't process them further. */
|
|
break;
|
|
}
|
|
- c += ustack->uip_buf[uip_ip_tcph_len +
|
|
- UIP_LLH_LEN + 1 + c];
|
|
+ if ((ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]) > (256 - c)) {
|
|
+ /* u8 overflow, actually there should
|
|
+ * never be more than 40 bytes of options */
|
|
+ break;
|
|
+ }
|
|
+ c += ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c];
|
|
}
|
|
}
|
|
}
|
|
@@ -2010,6 +2012,14 @@ found:
|
|
further. */
|
|
break;
|
|
}
|
|
+ if ((ustack->uip_buf[uip_ip_tcph_len
|
|
+ + UIP_LLH_LEN + 1 +
|
|
+ c]) > (256 - c)) {
|
|
+ /* u8 overflow, actually there should
|
|
+ * never be more than 40 bytes of
|
|
+ * options */
|
|
+ break;
|
|
+ }
|
|
c += ustack->
|
|
uip_buf[uip_ip_tcph_len +
|
|
UIP_LLH_LEN + 1 +
|
|
--
|
|
1.8.3.1
|
|
|