34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From e2383973cbca64f8e17ed7c4ad98258edfed6644 Mon Sep 17 00:00:00 2001
|
|
From: Chris Leech <cleech@redhat.com>
|
|
Date: Tue, 10 Nov 2020 13:36:37 -0800
|
|
Subject: [PATCH 1/4] check for header length underflow during checksum
|
|
calculation
|
|
|
|
CVE-2020-13987
|
|
---
|
|
iscsiuio/src/uip/uip.c | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
|
|
index e2ce2cc..cfff43c 100644
|
|
--- a/iscsiuio/src/uip/uip.c
|
|
+++ b/iscsiuio/src/uip/uip.c
|
|
@@ -316,7 +316,13 @@ static u16_t upper_layer_chksum_ipv4(struct uip_stack *ustack, u8_t proto)
|
|
tcp_ipv4_hdr = (struct uip_tcp_ipv4_hdr *)ustack->network_layer;
|
|
|
|
upper_layer_len = (((u16_t) (tcp_ipv4_hdr->len[0]) << 8) +
|
|
- tcp_ipv4_hdr->len[1]) - UIP_IPv4_H_LEN;
|
|
+ tcp_ipv4_hdr->len[1]);
|
|
+ /* check for underflow from an invalid length field */
|
|
+ if (upper_layer_len < UIP_IPv4_H_LEN) {
|
|
+ /* return 0 as an invalid checksum */
|
|
+ return 0;
|
|
+ }
|
|
+ upper_layer_len -= UIP_IPv4_H_LEN;
|
|
|
|
/* First sum pseudoheader. */
|
|
/* IP protocol and length fields. This addition cannot carry. */
|
|
--
|
|
1.8.3.1
|
|
|