CVE: net: fix unbounded memcpy of UDP packet

This patch adds a check to udp_len to fix unbounded memcpy for
CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>

diff --git a/net/net.c b/net/net.c
index 74a8a36b5a756c55d6292a8d51108cd99b56866d..ded86e7456715ebfc39ce1f52cdd5fd954870963 100644 (file)
--- a/net/net.c
+++ b/net/net.c
@@ -1264,6 +1264,9 @@ void net_process_received_packet(uchar *in_packet, int len)
                        return;
                }
 
+               if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+                       return;
+
                debug_cond(DEBUG_DEV_PKT,
                           "received UDP (to=%pI4, from=%pI4, len=%d)\n",
                           &dst_ip, &src_ip, len);