Mirrors/u-boot
2
0
Fork 0
mirror of https://github.com/AsahiLinux/u-boot synced 2024-11-24 21:54:01 +00:00
Code Issues Projects Releases Packages Wiki Activity

net: wget: Avoid packet queue overflow

Browse source 
Make sure to stay within bounds, as a misbehaving HTTP server
can trigger a buffer overflow if not properly handled.

Cc: Joe Hershberger <joe.hershberger@ni.com>
Cc: Ramon Fried <rfried.dev@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
This commit is contained in:
Richard Weinberger 2023-07-20 14:51:56 +02:00 committed by Tom Rini
parent d01a8541d6
commit a8bd5ec000
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
net/wget.c
View file

@ -35,7 +35,8 @@ struct pkt_qd {
* The actual packet bufers are in the kernel space, and are * The actual packet bufers are in the kernel space, and are
* expected to be overwritten by the downloaded image. * expected to be overwritten by the downloaded image.
*/ */
static struct pkt_qd pkt_q[PKTBUFSRX / 4]; #define PKTQ_SZ (PKTBUFSRX / 4)
static struct pkt_qd pkt_q[PKTQ_SZ];
static int pkt_q_idx; static int pkt_q_idx;
static unsigned long content_length; static unsigned long content_length;
static unsigned int packets; static unsigned int packets;
@ -202,6 +203,13 @@ static void wget_connected(uchar *pkt, unsigned int tcp_seq_num,
pkt_q[pkt_q_idx].tcp_seq_num = tcp_seq_num; pkt_q[pkt_q_idx].tcp_seq_num = tcp_seq_num;
pkt_q[pkt_q_idx].len = len; pkt_q[pkt_q_idx].len = len;
pkt_q_idx++; pkt_q_idx++;
if (pkt_q_idx >= PKTQ_SZ) {
printf("wget: Fatal error, queue overrun!\n");
net_set_state(NETLOOP_FAIL);
return;
}
} else { } else {
debug_cond(DEBUG_WGET, "wget: Connected HTTP Header %p\n", pkt); debug_cond(DEBUG_WGET, "wget: Connected HTTP Header %p\n", pkt);
/* sizeof(http_eom) - 1 is the string length of (http_eom) */ /* sizeof(http_eom) - 1 is the string length of (http_eom) */