ASA-2019-00486 – Das U-Boot: Unbounded memcpy when parsing a UDP packet due to integer underflow

There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet() integer underflow during an *udp_packet_handler call.

ASA-2019-00485 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()

The problem exists in the NFSv3 case in the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.

ASA-2019-00481 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()

The problem exists in the NFSv2 case if the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.