Hey Joe & U-BOOT-lists,
I think I found a security vulnerability in U-BOOT and I figured I'd report it to you, if this is the wrong channel please let me know. So in https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 https://github.com/u-boot/u-boot/blob/master/net/ping.c#L108 in the ping_receive() function the ethernet header gets copied for eth_hdr_size + len to tx_packet. (No boundary checks) if CONFIG_CMD_PING is defined in receive_icmp() in https://github.com/u-boot/u-boot/blob/master/net/net.c#L1068 it will call ping_receive with the ethernet header, ip header and length. (Still no boundary checks) Then on net_process_received_packet() it will call receive_icmp() https://github.com/u-boot/u-boot/blob/master/net/net.c#L1261 with a lenght from ntohs(ip->ip_len) https://github.com/u-boot/u-boot/blob/master/net/net.c#L1208 since an attacker could control this size it could trigger a straight forward memcpy overflow. To fix it I'd probably just add some boundary checks in ping_receive() so that the amount written doesn't exceed the buffer boundaries. Kind Regards, Jordy Zomer _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
