From 5994c69cec8179a9001ec90502a550a7d62f889e Mon Sep 17 00:00:00 2001
From: cao-bing-6 <caobing6@huawei.com>
Date: Thu, 30 Jun 2022 11:17:39 +0000
Subject: [PATCH] uboot Fix CVE-2022-30552

Signed-off-by: cao-bing-6 <caobing6@huawei.com>
Change-Id: I78b12bb75632f0cd8358848629b3e6437a0b89af
---
 u-boot-2020.01/include/net.h | 2 ++
 u-boot-2020.01/net/net.c     | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/u-boot-2020.01/include/net.h b/u-boot-2020.01/include/net.h
index 834f244982..e8a213f43d 100644
--- a/u-boot-2020.01/include/net.h
+++ b/u-boot-2020.01/include/net.h
@@ -373,6 +373,8 @@ struct ip_hdr {
 
 #define IP_HDR_SIZE		(sizeof(struct ip_hdr))
 
+#define IP_MIN_FRAG_DATAGRAM_SIZE (IP_HDR_SIZE + 8)
+
 /*
  *	Internet Protocol (IP) + UDP header.
  */
diff --git a/u-boot-2020.01/net/net.c b/u-boot-2020.01/net/net.c
index 5199d679a1..8fcfc68c9c 100644
--- a/u-boot-2020.01/net/net.c
+++ b/u-boot-2020.01/net/net.c
@@ -911,6 +911,9 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
 	int offset8, start, len, done = 0;
 	u16 ip_off = ntohs(ip->ip_off);
 
+	if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE)
+		return NULL;
+
 	/* payload starts after IP header, this fragment is in there */
 	payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
 	offset8 =  (ip_off & IP_OFFS);
-- 
Gitee