Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:usbnet: ipheth: use static NDP16 location in URBOriginal code allowed for the start of NDP16 to be anywhere within theURB based on the `wNdpIndex` value in NTH16. Only the start position ofNDP16 was checked, so it was possible for even the fixed-length partof NDP16 to extend past the end of URB, leading to an out-of-boundsread.On iOS devices, the NDP16 header always directly follows NTH16. Rely onand check for this specific format.This, along with NCM-specific minimal URB length check that alreadyexists, will ensure that the fixed-length part of NDP16 plus a setamount of DPEs fit within the URB.Note that this commit alone does not fully address the OoB read.The limit on the amount of DPEs needs to be enforced separately.
- https://git.kernel.org/stable/c/86586dcb75cb8fd062a518aca8ee667938b91efb
- https://github.com/fkie-cad/nvd-json-data-feeds