Blame SOURCES/0533-net-http-Error-out-on-headers-with-LF-without-CR.patch

b9d01e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b9d01e
From: Daniel Axtens <dja@axtens.net>
b9d01e
Date: Tue, 8 Mar 2022 19:04:40 +1100
b9d01e
Subject: [PATCH] net/http: Error out on headers with LF without CR
b9d01e
b9d01e
In a similar vein to the previous patch, parse_line() would write
b9d01e
a NUL byte past the end of the buffer if there was an HTTP header
b9d01e
with a LF rather than a CRLF.
b9d01e
b9d01e
RFC-2616 says:
b9d01e
b9d01e
  Many HTTP/1.1 header field values consist of words separated by LWS
b9d01e
  or special characters. These special characters MUST be in a quoted
b9d01e
  string to be used within a parameter value (as defined in section 3.6).
b9d01e
b9d01e
We don't support quoted sections or continuation lines, etc.
b9d01e
b9d01e
If we see an LF that's not part of a CRLF, bail out.
b9d01e
b9d01e
Fixes: CVE-2022-28734
b9d01e
b9d01e
Signed-off-by: Daniel Axtens <dja@axtens.net>
b9d01e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b9d01e
(cherry picked from commit d232ad41ac4979a9de4d746e5fdff9caf0e303de)
b9d01e
(cherry picked from commit 8960e6d6137090a7e8c6592077da6e387a4ef972)
b9d01e
(cherry picked from commit 9b6b9398c90dd76ce0b935d21c4ecb8954c4b2b7)
b9d01e
---
b9d01e
 grub-core/net/http.c | 8 ++++++++
b9d01e
 1 file changed, 8 insertions(+)
b9d01e
b9d01e
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
b9d01e
index 7fa2dcaea7..745f429b51 100644
b9d01e
--- a/grub-core/net/http.c
b9d01e
+++ b/grub-core/net/http.c
b9d01e
@@ -69,7 +69,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
b9d01e
   char *end = ptr + len;
b9d01e
   while (end > ptr && *(end - 1) == '\r')
b9d01e
     end--;
b9d01e
+
b9d01e
+  /* LF without CR. */
b9d01e
+  if (end == ptr + len)
b9d01e
+    {
b9d01e
+      data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
b9d01e
+      return GRUB_ERR_NONE;
b9d01e
+    }
b9d01e
   *end = 0;
b9d01e
+
b9d01e
   /* Trailing CRLF.  */
b9d01e
   if (data->in_chunk_len == 1)
b9d01e
     {