1From 5d14ee4e53a81055d34ba280cb8fd90330f22a96 Mon Sep 17 00:00:00 2001 2From: "liucheng (G)" <liucheng32@huawei.com> 3Date: Thu, 29 Aug 2019 13:48:02 +0000 4Subject: [PATCH] CVE-2019-14196: nfs: fix unbounded memcpy with a failed 5 length check at nfs_lookup_reply 6MIME-Version: 1.0 7Content-Type: text/plain; charset=utf8 8Content-Transfer-Encoding: 8bit 9 10This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply. 11 12Signed-off-by: Cheng Liu <liucheng32@huawei.com> 13Reported-by: FermÃn Serna <fermin@semmle.com> 14Acked-by: Joe Hershberger <joe.hershberger@ni.com> 15--- 16 net/nfs.c | 4 ++++ 17 1 file changed, 4 insertions(+) 18 19diff --git a/net/nfs.c b/net/nfs.c 20index 915acd9..89952ae 100644 21--- a/net/nfs.c 22+++ b/net/nfs.c 23@@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) 24 } 25 26 if (supported_nfs_versions & NFSV2_FLAG) { 27+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len) 28+ return -NFS_RPC_DROP; 29 memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE); 30 } else { /* NFSV3_FLAG */ 31 filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); 32 if (filefh3_length > NFS3_FHSIZE) 33 filefh3_length = NFS3_FHSIZE; 34+ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) 35+ return -NFS_RPC_DROP; 36 memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); 37 } 38 39-- 401.9.1 41 42