There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet() integer underflow during an *udp_packet_handler call.
Tag: Unbounded memcpy
ASA-2019-00485 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()
The problem exists in the NFSv3 case in the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.
ASA-2019-00483 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_lookup_reply()
This problem exists in the nfs_lookup_reply() function that again parses an nfs reply coming from the network. It parses 4 bytes and uses them as length for a memcpy in two different locations.
ASA-2019-00482 – Das U-Boot: Unbounded memcpy with an unvalidated length at nfs_readlink_reply()
There is an unbounded memcpy with an unvalidated length at nfs_readlink_reply(), in the else block after calculating the new path length.
ASA-2019-00481 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()
The problem exists in the NFSv2 case if the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.
ASA-2019-00480 – Das U-Boot: Unbounded memcpy with an unvalidated length at nfs_readlink_reply()
There is an unbounded memcpy with an unvalidated length at nfs_readlink_reply(), in the if block after calculating the new path length.
ASA-2019-00479 – Das U-Boot: Unbounded memcpy when parsing a UDP packet due to integer underflow
There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet integer underflow during an nc_input_packet call.