diff options
| author | Daniel Axtens <dja@axtens.net> | 2021-12-20 19:41:21 +1100 |
|---|---|---|
| committer | Daniel Kiper <daniel.kiper@oracle.com> | 2022-06-07 16:39:33 +0200 |
| commit | 3e4817538de828319ba6d59ced2fbb9b5ca13287 (patch) | |
| tree | 157719af586bee86aac3d8814324f8c34971da4b | |
| parent | 830a9628b2c9e1b6388af624aaf4a80818ed6be0 (diff) | |
| download | grub-3e4817538de828319ba6d59ced2fbb9b5ca13287.tar.gz | |
net/ip: Do IP fragment maths safely
We can receive packets with invalid IP fragmentation information. This
can lead to rsm->total_len underflowing and becoming very large.
Then, in grub_netbuff_alloc(), we add to this very large number, which can
cause it to overflow and wrap back around to a small positive number.
The allocation then succeeds, but the resulting buffer is too small and
subsequent operations can write past the end of the buffer.
Catch the underflow here.
Fixes: CVE-2022-28733
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
| -rw-r--r-- | grub-core/net/ip.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c index e3d62e97f..3c3d0be0e 100644 --- a/grub-core/net/ip.c +++ b/grub-core/net/ip.c @@ -25,6 +25,7 @@ #include <grub/net/netbuff.h> #include <grub/mm.h> #include <grub/priority_queue.h> +#include <grub/safemath.h> #include <grub/time.h> struct iphdr { @@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb, { rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK) + (nb->tail - nb->data)); - rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t)); + + if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t), + &rsm->total_len)) + { + grub_dprintf ("net", "IP reassembly size underflow\n"); + return GRUB_ERR_NONE; + } + rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len); if (!rsm->asm_netbuff) { |