summaryrefslogtreecommitdiffstats
path: root/debian/patches/0079-net-ip-Do-IP-fragment-maths-safely.patch
blob: 7c5d8dc3f8604e3576b72c7b551080d2a24e5d57 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
From 2a4f87df650fd2ef639b48b43fc834b97b6b2bfa Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 20 Dec 2021 19:41:21 +1100
Subject: net/ip: Do IP fragment maths safely

This avoids an underflow and subsequent unpleasantness.

Fixes: CVE-2022-28733

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/net/ip.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
index 01410798b..937be8767 100644
--- a/grub-core/net/ip.c
+++ b/grub-core/net/ip.c
@@ -25,6 +25,7 @@
 #include <grub/net/netbuff.h>
 #include <grub/mm.h>
 #include <grub/priority_queue.h>
+#include <grub/safemath.h>
 #include <grub/time.h>
 
 struct iphdr {
@@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
     {
       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
 			+ (nb->tail - nb->data));
-      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
+
+      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
+		    &rsm->total_len))
+	{
+	  grub_dprintf ("net", "IP reassembly size underflow\n");
+	  return GRUB_ERR_NONE;
+	}
+
       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
       if (!rsm->asm_netbuff)
 	{