packages/open-iscsi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
open-iscsi/0022-check-for-TCP-urgent-pointer-past-end-of-frame.patch
Wenchao Hao 77771bcf2e Fix CVE-2020-13987 CVE-2020-13988 CVE-2020-17437 
Signed-off-by: Wenchao Hao <haowenchao@huawei.com>
2021-02-22 20:23:19 +08:00

40 lines
1.2 KiB
Diff
Raw Blame History

From d63ce0d64c5abe9f285f14ce394660bfb9a16538 Mon Sep 17 00:00:00 2001
From: Chris Leech <cleech@redhat.com>
Date: Tue, 10 Nov 2020 14:14:11 -0800
Subject: [PATCH 3/4] check for TCP urgent pointer past end of frame
CVE-2020-17437
---
iscsiuio/src/uip/uip.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
index 522fd9d..e0a7221 100644
--- a/iscsiuio/src/uip/uip.c
+++ b/iscsiuio/src/uip/uip.c
@@ -2095,11 +2095,16 @@ tcp_send_finack:
} else {
uip_urglen = 0;
#else /* UIP_URGDATA > 0 */
- ustack->uip_appdata =
- ((char *)ustack->uip_appdata) +
- ((tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]);
- ustack->uip_len -=
- (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1];
+ tmp16 = (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1];
+ if (tmp16 <= ustack->uip_len) {
+ ustack->uip_appdata = ((char *)ustack->uip_appdata) + tmp16;
+ ustack->uip_len -= tmp16;
+ } else {
+ /* invalid urgent pointer length greater than frame */
+ /* we're discarding urgent data anyway, throw it all out */
+ ustack->uip_appdata = ((char *)ustack->uip_appdata) + ustack->uip_len;
+ ustack->uip_len = 0;
+ }
#endif /* UIP_URGDATA > 0 */
}
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink