summaryrefslogtreecommitdiffstats
path: root/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 10:54:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 10:54:18 +0000
commit8e67fbf68ffeb9eb5f026dd482d73b021660bf9b (patch)
treebb573facd5d02096f9956b2617a722b88acaa8af /debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch
parentAdding upstream version 2.06. (diff)
downloadgrub2-8e67fbf68ffeb9eb5f026dd482d73b021660bf9b.tar.xz
grub2-8e67fbf68ffeb9eb5f026dd482d73b021660bf9b.zip
Adding debian version 2.06-3~deb11u6.debian/2.06-3_deb11u6debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch43
1 files changed, 43 insertions, 0 deletions
diff --git a/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch b/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch
new file mode 100644
index 0000000..7c5d8dc
--- /dev/null
+++ b/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch
@@ -0,0 +1,43 @@
+From 2a4f87df650fd2ef639b48b43fc834b97b6b2bfa Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 20 Dec 2021 19:41:21 +1100
+Subject: net/ip: Do IP fragment maths safely
+
+This avoids an underflow and subsequent unpleasantness.
+
+Fixes: CVE-2022-28733
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/ip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
+index 01410798b..937be8767 100644
+--- a/grub-core/net/ip.c
++++ b/grub-core/net/ip.c
+@@ -25,6 +25,7 @@
+ #include <grub/net/netbuff.h>
+ #include <grub/mm.h>
+ #include <grub/priority_queue.h>
++#include <grub/safemath.h>
+ #include <grub/time.h>
+
+ struct iphdr {
+@@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
+ {
+ rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+ + (nb->tail - nb->data));
+- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
++
++ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
++ &rsm->total_len))
++ {
++ grub_dprintf ("net", "IP reassembly size underflow\n");
++ return GRUB_ERR_NONE;
++ }
++
+ rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
+ if (!rsm->asm_netbuff)
+ {