diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/0086-net-http-Error-out-on-headers-with-LF-without-CR.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/debian/patches/0086-net-http-Error-out-on-headers-with-LF-without-CR.patch b/debian/patches/0086-net-http-Error-out-on-headers-with-LF-without-CR.patch new file mode 100644 index 0000000..5b7ede1 --- /dev/null +++ b/debian/patches/0086-net-http-Error-out-on-headers-with-LF-without-CR.patch @@ -0,0 +1,47 @@ +From 870b94755b6a341d21632293677b346ff033e5f0 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 8 Mar 2022 19:04:40 +1100 +Subject: net/http: Error out on headers with LF without CR + +In a similar vein to the previous patch, parse_line() would write +a NUL byte past the end of the buffer if there was an HTTP header +with a LF rather than a CRLF. + +RFC-2616 says: + + Many HTTP/1.1 header field values consist of words separated by LWS + or special characters. These special characters MUST be in a quoted + string to be used within a parameter value (as defined in section 3.6). + +We don't support quoted sections or continuation lines, etc. + +If we see an LF that's not part of a CRLF, bail out. + +Fixes: CVE-2022-28734 + +Signed-off-by: Daniel Axtens <dja@axtens.net> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/net/http.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/grub-core/net/http.c b/grub-core/net/http.c +index 9f45ad4e8..6988d38fb 100644 +--- a/grub-core/net/http.c ++++ b/grub-core/net/http.c +@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) + char *end = ptr + len; + while (end > ptr && *(end - 1) == '\r') + end--; ++ ++ /* LF without CR. */ ++ if (end == ptr + len) ++ { ++ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR")); ++ return GRUB_ERR_NONE; ++ } + *end = 0; ++ + /* Trailing CRLF. */ + if (data->in_chunk_len == 1) + { |