rpms / grub2

Clone
Source Code
GIT

Blame 0232-net-ip-Do-IP-fragment-maths-safely.patch

el5 el6 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-bls f25-bls3 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f9 main put-font-back rawhide splitarch4 uefi-vlan
  1.   rawhide
  2.   0232-net-ip-Do-IP-fragment-maths-safely.patch
Blob History Raw
f0ad2aa 
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
f0ad2aa 
From: Daniel Axtens <dja@axtens.net>
f0ad2aa 
Date: Mon, 20 Dec 2021 19:41:21 +1100
f0ad2aa 
Subject: [PATCH] net/ip: Do IP fragment maths safely
f0ad2aa
f0ad2aa 
This avoids an underflow and subsequent unpleasantness.
f0ad2aa
f0ad2aa 
Fixes: CVE-2022-28733
f0ad2aa
f0ad2aa 
Signed-off-by: Daniel Axtens <dja@axtens.net>
f0ad2aa 
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
f0ad2aa 
(cherry picked from commit eb74e5743ca7e18a5e75c392fe0b21d1549a1936)
f0ad2aa 
---
f0ad2aa 
 grub-core/net/ip.c | 10 +++++++++-
f0ad2aa 
 1 file changed, 9 insertions(+), 1 deletion(-)
f0ad2aa
f0ad2aa 
diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
f0ad2aa 
index ce6bdc75c6..cf74f1f794 100644
f0ad2aa 
--- a/grub-core/net/ip.c
f0ad2aa 
+++ b/grub-core/net/ip.c
f0ad2aa 
@@ -25,6 +25,7 @@
f0ad2aa 
 #include <grub/net/netbuff.h>
f0ad2aa 
 #include <grub/mm.h>
f0ad2aa 
 #include <grub/priority_queue.h>
f0ad2aa 
+#include <grub/safemath.h>
f0ad2aa 
 #include <grub/time.h>
f0ad2aa
f0ad2aa 
 struct iphdr {
f0ad2aa 
@@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
f0ad2aa 
     {
f0ad2aa 
       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
f0ad2aa 
 			+ (nb->tail - nb->data));
f0ad2aa 
-      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
f0ad2aa 
+
f0ad2aa 
+      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
f0ad2aa 
+		    &rsm->total_len))
f0ad2aa 
+	{
f0ad2aa 
+	  grub_dprintf ("net", "IP reassembly size underflow\n");
f0ad2aa 
+	  return GRUB_ERR_NONE;
f0ad2aa 
+	}
f0ad2aa 
+
f0ad2aa 
       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
f0ad2aa 
       if (!rsm->asm_netbuff)
f0ad2aa 
 	{
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.