|
|
468bd4 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
468bd4 |
From: Thomas Frauendorfer | Miray Software <tf@miray.de>
|
|
|
468bd4 |
Date: Tue, 4 Aug 2020 17:13:05 +0200
|
|
|
468bd4 |
Subject: [PATCH] efi/net: Fix malformed device path arithmetic errors in efi
|
|
|
468bd4 |
net methods
|
|
|
468bd4 |
|
|
|
468bd4 |
---
|
|
|
468bd4 |
grub-core/net/efi/net.c | 26 ++++++++++++++++++++------
|
|
|
468bd4 |
1 file changed, 20 insertions(+), 6 deletions(-)
|
|
|
468bd4 |
|
|
|
468bd4 |
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
|
|
|
030dc3 |
index 3ae1fbbe3c8..a58c24f6364 100644
|
|
|
468bd4 |
--- a/grub-core/net/efi/net.c
|
|
|
468bd4 |
+++ b/grub-core/net/efi/net.c
|
|
|
468bd4 |
@@ -1318,11 +1318,18 @@ grub_efi_net_boot_from_https (void)
|
|
|
468bd4 |
|
|
|
468bd4 |
dp = grub_efi_get_device_path (image->device_handle);
|
|
|
468bd4 |
|
|
|
468bd4 |
- while (1)
|
|
|
468bd4 |
+ while (dp)
|
|
|
468bd4 |
{
|
|
|
468bd4 |
+ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
|
|
|
468bd4 |
+ if (len < 4)
|
|
|
468bd4 |
+ {
|
|
|
468bd4 |
+ grub_error(GRUB_ERR_OUT_OF_RANGE,
|
|
|
468bd4 |
+ "malformed EFI Device Path node has length=%d", len);
|
|
|
468bd4 |
+ break;
|
|
|
468bd4 |
+ }
|
|
|
468bd4 |
+
|
|
|
468bd4 |
grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
|
|
|
468bd4 |
grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
|
|
|
468bd4 |
- grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
|
|
|
468bd4 |
|
|
|
468bd4 |
if ((type == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE)
|
|
|
468bd4 |
&& (subtype == GRUB_EFI_URI_DEVICE_PATH_SUBTYPE))
|
|
|
468bd4 |
@@ -1335,7 +1342,7 @@ grub_efi_net_boot_from_https (void)
|
|
|
468bd4 |
|
|
|
468bd4 |
if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
|
|
|
468bd4 |
break;
|
|
|
468bd4 |
- dp = (grub_efi_device_path_t *) ((char *) dp + len);
|
|
|
468bd4 |
+ dp = GRUB_EFI_NEXT_DEVICE_PATH(dp);
|
|
|
468bd4 |
}
|
|
|
468bd4 |
|
|
|
468bd4 |
return 0;
|
|
|
468bd4 |
@@ -1353,11 +1360,18 @@ grub_efi_net_boot_from_opa (void)
|
|
|
468bd4 |
|
|
|
468bd4 |
dp = grub_efi_get_device_path (image->device_handle);
|
|
|
468bd4 |
|
|
|
468bd4 |
- while (1)
|
|
|
468bd4 |
+ while (dp)
|
|
|
468bd4 |
{
|
|
|
468bd4 |
+ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
|
|
|
468bd4 |
+ if (len < 4)
|
|
|
468bd4 |
+ {
|
|
|
468bd4 |
+ grub_error(GRUB_ERR_OUT_OF_RANGE,
|
|
|
468bd4 |
+ "malformed EFI Device Path node has length=%d", len);
|
|
|
468bd4 |
+ break;
|
|
|
468bd4 |
+ }
|
|
|
468bd4 |
+
|
|
|
468bd4 |
grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
|
|
|
468bd4 |
grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
|
|
|
468bd4 |
- grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
|
|
|
468bd4 |
|
|
|
468bd4 |
if ((type == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE)
|
|
|
468bd4 |
&& (subtype == GRUB_EFI_MAC_ADDRESS_DEVICE_PATH_SUBTYPE))
|
|
|
468bd4 |
@@ -1368,7 +1382,7 @@ grub_efi_net_boot_from_opa (void)
|
|
|
468bd4 |
|
|
|
468bd4 |
if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
|
|
|
468bd4 |
break;
|
|
|
468bd4 |
- dp = (grub_efi_device_path_t *) ((char *) dp + len);
|
|
|
468bd4 |
+ dp = GRUB_EFI_NEXT_DEVICE_PATH(dp);
|
|
|
468bd4 |
}
|
|
|
468bd4 |
|
|
|
468bd4 |
return 0;
|