|
 |
c4e390 |
From ed7411d55fd5eae7b6c540e99cb2f41156d3e4c5 Mon Sep 17 00:00:00 2001
|
|
|
c4e390 |
From: Peter Jones <pjones@redhat.com>
|
|
|
c4e390 |
Date: Sun, 19 Jul 2020 17:27:00 -0400
|
|
|
c4e390 |
Subject: [PATCH 329/336] efi/ip[46]_config.c: fix some potential allocation
|
|
|
c4e390 |
overflows
|
|
|
c4e390 |
|
|
|
c4e390 |
In theory all of this data comes from the firmware stack and it should
|
|
|
c4e390 |
be safe, but it's better to be paranoid.
|
|
|
c4e390 |
|
|
|
c4e390 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
c4e390 |
---
|
|
|
c4e390 |
grub-core/net/efi/ip4_config.c | 28 ++++++++++++++++++++--------
|
|
|
c4e390 |
grub-core/net/efi/ip6_config.c | 13 ++++++++++---
|
|
|
c4e390 |
2 files changed, 30 insertions(+), 11 deletions(-)
|
|
|
c4e390 |
|
|
|
c4e390 |
diff --git a/grub-core/net/efi/ip4_config.c b/grub-core/net/efi/ip4_config.c
|
|
|
c4e390 |
index 313c818b184..0f729b47cbd 100644
|
|
|
c4e390 |
--- a/grub-core/net/efi/ip4_config.c
|
|
|
c4e390 |
+++ b/grub-core/net/efi/ip4_config.c
|
|
|
c4e390 |
@@ -4,15 +4,20 @@
|
|
|
c4e390 |
#include <grub/misc.h>
|
|
|
c4e390 |
#include <grub/net/efi.h>
|
|
|
c4e390 |
#include <grub/charset.h>
|
|
|
c4e390 |
+#include <grub/safemath.h>
|
|
|
c4e390 |
|
|
|
c4e390 |
char *
|
|
|
c4e390 |
grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_address_t hw_address)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
char *hw_addr, *p;
|
|
|
c4e390 |
- int sz, s;
|
|
|
c4e390 |
- int i;
|
|
|
c4e390 |
+ grub_size_t sz, s, i;
|
|
|
c4e390 |
|
|
|
c4e390 |
- sz = (int)hw_address_size * (sizeof ("XX:") - 1) + 1;
|
|
|
c4e390 |
+ if (grub_mul (hw_address_size, sizeof ("XX:") - 1, &sz) ||
|
|
|
c4e390 |
+ grub_add (sz, 1, &sz))
|
|
|
c4e390 |
+ {
|
|
|
c4e390 |
+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
|
|
|
c4e390 |
+ return NULL;
|
|
|
c4e390 |
+ }
|
|
|
c4e390 |
|
|
|
c4e390 |
hw_addr = grub_malloc (sz);
|
|
|
c4e390 |
if (!hw_addr)
|
|
|
c4e390 |
@@ -20,7 +25,7 @@ grub_efi_hw_address_to_string (grub_efi_uint32_t hw_address_size, grub_efi_mac_a
|
|
|
c4e390 |
|
|
|
c4e390 |
p = hw_addr;
|
|
|
c4e390 |
s = sz;
|
|
|
c4e390 |
- for (i = 0; i < (int)hw_address_size; i++)
|
|
|
c4e390 |
+ for (i = 0; i < hw_address_size; i++)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
grub_snprintf (p, sz, "%02x:", hw_address[i]);
|
|
|
c4e390 |
p += sizeof ("XX:") - 1;
|
|
|
c4e390 |
@@ -56,7 +61,8 @@ int
|
|
|
c4e390 |
grub_efi_string_to_ip4_address (const char *val, grub_efi_ipv4_address_t *address, const char **rest)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
grub_uint32_t newip = 0;
|
|
|
c4e390 |
- int i, ncolon = 0;
|
|
|
c4e390 |
+ grub_size_t i;
|
|
|
c4e390 |
+ int ncolon = 0;
|
|
|
c4e390 |
const char *ptr = val;
|
|
|
c4e390 |
|
|
|
c4e390 |
/* Check that is not an IPv6 address */
|
|
|
c4e390 |
@@ -238,14 +244,20 @@ grub_efi_ip4_interface_route_table (struct grub_efi_net_device *dev)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
grub_efi_ip4_config2_interface_info_t *interface_info;
|
|
|
c4e390 |
char **ret;
|
|
|
c4e390 |
- int i, id;
|
|
|
c4e390 |
+ int id;
|
|
|
c4e390 |
+ grub_size_t i, nmemb;
|
|
|
c4e390 |
|
|
|
c4e390 |
interface_info = efi_ip4_config_interface_info (dev->ip4_config);
|
|
|
c4e390 |
if (!interface_info)
|
|
|
c4e390 |
return NULL;
|
|
|
c4e390 |
|
|
|
c4e390 |
- ret = grub_malloc (sizeof (*ret) * (interface_info->route_table_size + 1));
|
|
|
c4e390 |
+ if (grub_add (interface_info->route_table_size, 1, &nmemb))
|
|
|
c4e390 |
+ {
|
|
|
c4e390 |
+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
|
|
|
c4e390 |
+ return NULL;
|
|
|
c4e390 |
+ }
|
|
|
c4e390 |
|
|
|
c4e390 |
+ ret = grub_calloc (nmemb, sizeof (*ret));
|
|
|
c4e390 |
if (!ret)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
grub_free (interface_info);
|
|
|
c4e390 |
@@ -253,7 +265,7 @@ grub_efi_ip4_interface_route_table (struct grub_efi_net_device *dev)
|
|
|
c4e390 |
}
|
|
|
c4e390 |
|
|
|
c4e390 |
id = 0;
|
|
|
c4e390 |
- for (i = 0; i < (int)interface_info->route_table_size; i++)
|
|
|
c4e390 |
+ for (i = 0; i < interface_info->route_table_size; i++)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
char *subnet, *gateway, *mask;
|
|
|
c4e390 |
grub_uint32_t u32_subnet, u32_gateway;
|
|
|
c4e390 |
diff --git a/grub-core/net/efi/ip6_config.c b/grub-core/net/efi/ip6_config.c
|
|
|
c4e390 |
index 017c4d05bc7..a46f6f9b685 100644
|
|
|
c4e390 |
--- a/grub-core/net/efi/ip6_config.c
|
|
|
c4e390 |
+++ b/grub-core/net/efi/ip6_config.c
|
|
|
c4e390 |
@@ -3,6 +3,7 @@
|
|
|
c4e390 |
#include <grub/misc.h>
|
|
|
c4e390 |
#include <grub/net/efi.h>
|
|
|
c4e390 |
#include <grub/charset.h>
|
|
|
c4e390 |
+#include <grub/safemath.h>
|
|
|
c4e390 |
|
|
|
c4e390 |
char *
|
|
|
c4e390 |
grub_efi_ip6_address_to_string (grub_efi_pxe_ipv6_address_t *address)
|
|
|
c4e390 |
@@ -228,14 +229,20 @@ grub_efi_ip6_interface_route_table (struct grub_efi_net_device *dev)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
grub_efi_ip6_config_interface_info_t *interface_info;
|
|
|
c4e390 |
char **ret;
|
|
|
c4e390 |
- int i, id;
|
|
|
c4e390 |
+ int id;
|
|
|
c4e390 |
+ grub_size_t i, nmemb;
|
|
|
c4e390 |
|
|
|
c4e390 |
interface_info = efi_ip6_config_interface_info (dev->ip6_config);
|
|
|
c4e390 |
if (!interface_info)
|
|
|
c4e390 |
return NULL;
|
|
|
c4e390 |
|
|
|
c4e390 |
- ret = grub_malloc (sizeof (*ret) * (interface_info->route_count + 1));
|
|
|
c4e390 |
+ if (grub_add (interface_info->route_count, 1, &nmemb))
|
|
|
c4e390 |
+ {
|
|
|
c4e390 |
+ grub_errno = GRUB_ERR_OUT_OF_RANGE;
|
|
|
c4e390 |
+ return NULL;
|
|
|
c4e390 |
+ }
|
|
|
c4e390 |
|
|
|
c4e390 |
+ ret = grub_calloc (nmemb, sizeof (*ret));
|
|
|
c4e390 |
if (!ret)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
grub_free (interface_info);
|
|
|
c4e390 |
@@ -243,7 +250,7 @@ grub_efi_ip6_interface_route_table (struct grub_efi_net_device *dev)
|
|
|
c4e390 |
}
|
|
|
c4e390 |
|
|
|
c4e390 |
id = 0;
|
|
|
c4e390 |
- for (i = 0; i < (int)interface_info->route_count ; i++)
|
|
|
c4e390 |
+ for (i = 0; i < interface_info->route_count ; i++)
|
|
|
c4e390 |
{
|
|
|
c4e390 |
char *gateway, *destination;
|
|
|
c4e390 |
grub_uint64_t u64_gateway[2];
|
|
|
c4e390 |
--
|
|
|
c4e390 |
2.26.2
|
|
|
c4e390 |
|