There is a stack-based buffer overflow in the nfs_handler reply helper function: nfs_umountall_reply().
Tag: Das U-Boot
ASA-2019-00490 – Das U-Boot: Stack-based buffer overflow in the nfs_handler reply helper function: nfs_mount_reply()
There is a stack-based buffer overflow in the nfs_handler reply helper function: nfs_mount_reply().
ASA-2019-00489 – Das U-Boot: Stack-based buffer overflow in the nfs_handler reply helper function: nfs_readlink_reply()
There is a stack-based buffer overflow in the nfs_handler reply helper function: nfs_readlink_reply().
ASA-2019-00488 – Das U-Boot: Stack-based buffer overflow in the nfs_handler reply helper function: nfs_lookup_reply()
There is a stack-based buffer overflow in the nfs_handler reply helper function: nfs_lookup_reply().
ASA-2019-00487 – Das U-Boot: Stack-based buffer overflow in the nfs_handler reply helper function: rpc_lookup_reply()
There is a stack-based buffer overflow in the nfs_handler reply helper function: rpc_lookup_reply().
ASA-2019-00486 – Das U-Boot: Unbounded memcpy when parsing a UDP packet due to integer underflow
There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet() integer underflow during an *udp_packet_handler call.
ASA-2019-00485 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()
The problem exists in the NFSv3 case in the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.
ASA-2019-00484 – Das U-Boot: Read out-of-bound data at nfs_read_reply()
There is a read of out-of-bounds data at nfs_read_reply().