|
|
1c6ba0 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
1c6ba0 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
1c6ba0 |
Date: Tue, 8 Mar 2022 19:04:40 +1100
|
|
|
1c6ba0 |
Subject: [PATCH] net/http: Error out on headers with LF without CR
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
In a similar vein to the previous patch, parse_line() would write
|
|
|
1c6ba0 |
a NUL byte past the end of the buffer if there was an HTTP header
|
|
|
1c6ba0 |
with a LF rather than a CRLF.
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
RFC-2616 says:
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
Many HTTP/1.1 header field values consist of words separated by LWS
|
|
|
1c6ba0 |
or special characters. These special characters MUST be in a quoted
|
|
|
1c6ba0 |
string to be used within a parameter value (as defined in section 3.6).
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
We don't support quoted sections or continuation lines, etc.
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
If we see an LF that's not part of a CRLF, bail out.
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
Fixes: CVE-2022-28734
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
1c6ba0 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
1c6ba0 |
(cherry picked from commit d232ad41ac4979a9de4d746e5fdff9caf0e303de)
|
|
|
1c6ba0 |
(cherry picked from commit 8960e6d6137090a7e8c6592077da6e387a4ef972)
|
|
|
1c6ba0 |
---
|
|
|
1c6ba0 |
grub-core/net/http.c | 8 ++++++++
|
|
|
1c6ba0 |
1 file changed, 8 insertions(+)
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
|
|
|
1c6ba0 |
index 58546739a2..57d2721719 100644
|
|
|
1c6ba0 |
--- a/grub-core/net/http.c
|
|
|
1c6ba0 |
+++ b/grub-core/net/http.c
|
|
|
1c6ba0 |
@@ -69,7 +69,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
|
|
|
1c6ba0 |
char *end = ptr + len;
|
|
|
1c6ba0 |
while (end > ptr && *(end - 1) == '\r')
|
|
|
1c6ba0 |
end--;
|
|
|
1c6ba0 |
+
|
|
|
1c6ba0 |
+ /* LF without CR. */
|
|
|
1c6ba0 |
+ if (end == ptr + len)
|
|
|
1c6ba0 |
+ {
|
|
|
1c6ba0 |
+ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
|
|
|
1c6ba0 |
+ return GRUB_ERR_NONE;
|
|
|
1c6ba0 |
+ }
|
|
|
1c6ba0 |
*end = 0;
|
|
|
1c6ba0 |
+
|
|
|
1c6ba0 |
/* Trailing CRLF. */
|
|
|
1c6ba0 |
if (data->in_chunk_len == 1)
|
|
|
1c6ba0 |
{
|