From 3eaac6307dff1e281f89fece521dc8a14078bf61 Mon Sep 17 00:00:00 2001
From: Ramon Fried <rfried.dev@gmail.com>
Date: Thu, 18 Jul 2019 21:43:30 +0300
Subject: net: introduce packet capture support

Add support for capturing ethernet packets and storing
them in memory in PCAP(2.4) format, later to be analyzed by
any PCAP viewer software (IE. Wireshark)

This feature greatly assist debugging network issues such
as detecting dropped packets, packet corruption etc.

Signed-off-by: Ramon Fried <rfried.dev@gmail.com>
Reviewed-by: Alex Marginean <alexm.osslist@gmail.com>
Tested-by: Alex Marginean <alexm.osslist@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
---
 net/net.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'net/net.c')

diff --git a/net/net.c b/net/net.c
index 40511db645d..74a8a36b5a7 100644
--- a/net/net.c
+++ b/net/net.c
@@ -96,6 +96,9 @@
 #include <net.h>
 #include <net/fastboot.h>
 #include <net/tftp.h>
+#if defined(CONFIG_CMD_PCAP)
+#include <net/pcap.h>
+#endif
 #if defined(CONFIG_LED_STATUS)
 #include <miiphy.h>
 #include <status_led.h>
@@ -672,6 +675,11 @@ done:
 	net_set_icmp_handler(NULL);
 #endif
 	net_set_state(prev_net_state);
+
+#if defined(CONFIG_CMD_PCAP)
+	if (pcap_active())
+		pcap_print_status();
+#endif
 	return ret;
 }
 
@@ -1084,6 +1092,9 @@ void net_process_received_packet(uchar *in_packet, int len)
 
 	debug_cond(DEBUG_NET_PKT, "packet received\n");
 
+#if defined(CONFIG_CMD_PCAP)
+	pcap_post(in_packet, len, false);
+#endif
 	net_rx_packet = in_packet;
 	net_rx_packet_len = len;
 	et = (struct ethernet_hdr *)in_packet;
-- 
cgit v1.2.3


From fe7288069d2e6659117049f7d27e261b550bb725 Mon Sep 17 00:00:00 2001
From: "liucheng (G)" <liucheng32@huawei.com>
Date: Thu, 29 Aug 2019 13:47:33 +0000
Subject: CVE: net: fix unbounded memcpy of UDP packet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch adds a check to udp_len to fix unbounded memcpy for
CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.

Signed-off-by: Cheng Liu <liucheng32@huawei.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reported-by: Fermín Serna <fermin@semmle.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
---
 net/net.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'net/net.c')

diff --git a/net/net.c b/net/net.c
index 74a8a36b5a7..ded86e74567 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1264,6 +1264,9 @@ void net_process_received_packet(uchar *in_packet, int len)
 			return;
 		}
 
+		if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
+			return;
+
 		debug_cond(DEBUG_DEV_PKT,
 			   "received UDP (to=%pI4, from=%pI4, len=%d)\n",
 			   &dst_ip, &src_ip, len);
-- 
cgit v1.2.3