From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Daniel Axtens <dja@axtens.net>

Date: Mon, 20 Dec 2021 19:41:21 +1100

Subject: [PATCH] net/ip: Do IP fragment maths safely

This avoids an underflow and subsequent unpleasantness.

Fixes: CVE-2022-28733

Signed-off-by: Daniel Axtens <dja@axtens.net>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

(cherry picked from commit eb74e5743ca7e18a5e75c392fe0b21d1549a1936)

(cherry picked from commit 552ad34583e788542e9ca08524a0d4bc8f98c297)

(cherry picked from commit 2c8cb7e3b8b48b136a950e5692fa6251b76df90e)

(cherry picked from commit ec7f66954d81f3bb28f4c93581e0c562c8608fa1)

---

 grub-core/net/ip.c | 10 +++++++++-

 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c

index daa5b03516..bca6504c2e 100644

--- a/grub-core/net/ip.c

+++ b/grub-core/net/ip.c

@@ -25,6 +25,7 @@

 #include <grub/net/netbuff.h>

 #include <grub/mm.h>

 #include <grub/priority_queue.h>

+#include <grub/safemath.h>

 #include <grub/time.h>

 struct iphdr {

@@ -536,7 +537,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,

     {

       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)

 			+ (nb->tail - nb->data));

-      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));

+

+      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),

+		    &rsm->total_len))

+	{

+	  grub_dprintf ("net", "IP reassembly size underflow\n");

+	  return GRUB_ERR_NONE;

+	}

+

       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);

       if (!rsm->asm_netbuff)

 	{