mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c4200e606c6125396e7b91b5d1042bf4c0e27394
poky/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
Hongxu Jia c4200e606c u-boot: fix CVE-2024-42040 
Backport a patch [1] from upstrem to fix CVE-2024-42040 [2]

[1] 81e5708cc2
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-42040

(From OE-Core rev: f5b980ade1e952a181cb51d60268942095627c0d)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-06 07:14:05 -08:00

57 lines
2.2 KiB
Diff
Raw Blame History

From 1406fc918977bba4dac0af5e22e63a5553aa6aff Mon Sep 17 00:00:00 2001
From: Paul HENRYS <paul.henrys_ext@softathome.com>
Date: Thu, 9 Oct 2025 17:43:28 +0200
Subject: [PATCH] net: bootp: Prevent buffer overflow to avoid leaking the RAM
content
CVE-2024-42040 describes a possible buffer overflow when calling
bootp_process_vendor() in bootp_handler() since the total length
of the packet is passed to bootp_process_vendor() without being
reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4).
The packet length is also checked against its minimum size to avoid
reading data from struct bootp_hdr outside of the packet length.
Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
CVE: CVE-2024-42040
Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
net/bootp.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/bootp.c b/net/bootp.c
index 68002909634..843180d296c 100644
--- a/net/bootp.c
+++ b/net/bootp.c
@@ -362,6 +362,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n",
src, dest, len, sizeof(struct bootp_hdr));
+ /* Check the minimum size of a BOOTP packet is respected.
+ * A BOOTP packet is between 300 bytes and 576 bytes big
+ */
+ if (len < offsetof(struct bootp_hdr, bp_vend) + 64) {
+ printf("Error: got an invalid BOOTP packet (len=%u)\n", len);
+ return;
+ }
+
bp = (struct bootp_hdr *)pkt;
/* Filter out pkts we don't want */
@@ -379,7 +387,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
/* Retrieve extended information (we must parse the vendor area) */
if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
- bootp_process_vendor((uchar *)&bp->bp_vend[4], len);
+ bootp_process_vendor((uchar *)&bp->bp_vend[4], len -
+ (offsetof(struct bootp_hdr, bp_vend) + 4));
net_set_timeout_handler(0, (thand_f *)0);
bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop");
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink