During the IP defragmentation process, after the reassembly is finished
with the last packet arriving with MF=0, the reassembly state wrt.
static counters is not cleared. In case this last arriving packet with
MF=0 gets duplicated, payload bytes are mistakenly treated as hole data.
A malicious actor who can deliver fragmented IP traffic to a U-Boot
instance with CONFIG_IP_DEFRAG=y can corrupt memory via out-of-bound
writes and redirect control flow into attacker-supplied payload bytes
that already sit in `pkt_buff[]`.
Publicly available AI models are able to generate a reproducer based
on the provided information.
Fix: once the assembled packet has been handed back to the caller, mark
the reassembly state empty so that any further fragment (duplicate,
replay, or a brand-new datagram that happens to reuse the `ip_id`) goes
through the normal re-init path and rebuilds a clean hole list instead
of dereferencing payload bytes as struct hole.
Fixes: 5cfaa4e54d0e ("net: defragment IP packets")
Reported-by: Mariusz Madej <mariusz.madej@nokia.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Alessandro Rubini <rubini@gnudd.com>
Signed-off-by: Mateusz Furdyna <mateusz.furdyna@nokia.com>
*lenp = total_len + IP_HDR_SIZE;
localip->ip_len = htons(*lenp);
+
+ /*
+ * Mark the reassembly state empty so that any further
+ * fragment goes through the normal re-init path and
+ * rebuilds a clean hole list
+ */
+ total_len = 0;
+ first_hole = 0;
+
return localip;
}