nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0480-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Thomas Frauendorfer | Miray Software <tf@miray.de>
9723a8
Date: Tue, 4 Aug 2020 17:13:05 +0200
9723a8
Subject: [PATCH] efi/net: Fix malformed device path arithmetic errors in efi
9723a8
 net methods
9723a8
9723a8
---
9723a8
 grub-core/net/efi/net.c | 26 ++++++++++++++++++++------
9723a8
 1 file changed, 20 insertions(+), 6 deletions(-)
9723a8
9723a8
diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
b71686
index 3ae1fbbe3..a58c24f63 100644
9723a8
--- a/grub-core/net/efi/net.c
9723a8
+++ b/grub-core/net/efi/net.c
9723a8
@@ -1318,11 +1318,18 @@ grub_efi_net_boot_from_https (void)
9723a8
 
9723a8
   dp = grub_efi_get_device_path (image->device_handle);
9723a8
 
9723a8
-  while (1)
9723a8
+  while (dp)
9723a8
     {
9723a8
+      grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
9723a8
+      if (len < 4)
9723a8
+      {
9723a8
+	grub_error(GRUB_ERR_OUT_OF_RANGE,
9723a8
+		   "malformed EFI Device Path node has length=%d", len);
9723a8
+	break;
9723a8
+      }
9723a8
+
9723a8
       grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
9723a8
       grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
9723a8
-      grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
9723a8
 
9723a8
       if ((type == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE)
9723a8
 	  && (subtype == GRUB_EFI_URI_DEVICE_PATH_SUBTYPE))
9723a8
@@ -1335,7 +1342,7 @@ grub_efi_net_boot_from_https (void)
9723a8
 
9723a8
       if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
9723a8
         break;
9723a8
-      dp = (grub_efi_device_path_t *) ((char *) dp + len);
9723a8
+      dp = GRUB_EFI_NEXT_DEVICE_PATH(dp);
9723a8
     }
9723a8
 
9723a8
   return 0;
9723a8
@@ -1353,11 +1360,18 @@ grub_efi_net_boot_from_opa (void)
9723a8
 
9723a8
   dp = grub_efi_get_device_path (image->device_handle);
9723a8
 
9723a8
-  while (1)
9723a8
+  while (dp)
9723a8
     {
9723a8
+      grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
9723a8
+      if (len < 4)
9723a8
+      {
9723a8
+	grub_error(GRUB_ERR_OUT_OF_RANGE,
9723a8
+		   "malformed EFI Device Path node has length=%d", len);
9723a8
+	break;
9723a8
+      }
9723a8
+
9723a8
       grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
9723a8
       grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
9723a8
-      grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
9723a8
 
9723a8
       if ((type == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE)
9723a8
 	  && (subtype == GRUB_EFI_MAC_ADDRESS_DEVICE_PATH_SUBTYPE))
9723a8
@@ -1368,7 +1382,7 @@ grub_efi_net_boot_from_opa (void)
9723a8
 
9723a8
       if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
9723a8
         break;
9723a8
-      dp = (grub_efi_device_path_t *) ((char *) dp + len);
9723a8
+      dp = GRUB_EFI_NEXT_DEVICE_PATH(dp);
9723a8
     }
9723a8
 
9723a8
   return 0;