|
 |
b35c50 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b35c50 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
b35c50 |
Date: Mon, 20 Dec 2021 19:41:21 +1100
|
|
|
b35c50 |
Subject: [PATCH] net/ip: Do IP fragment maths safely
|
|
|
b35c50 |
|
|
|
b35c50 |
This avoids an underflow and subsequent unpleasantness.
|
|
|
b35c50 |
|
|
|
b35c50 |
Fixes: CVE-2022-28733
|
|
|
b35c50 |
|
|
|
b35c50 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
b35c50 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b35c50 |
(cherry picked from commit eb74e5743ca7e18a5e75c392fe0b21d1549a1936)
|
|
|
b35c50 |
---
|
|
|
b35c50 |
grub-core/net/ip.c | 10 +++++++++-
|
|
|
b35c50 |
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
b35c50 |
|
|
|
b35c50 |
diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
|
|
|
b35c50 |
index ce6bdc75c6..cf74f1f794 100644
|
|
|
b35c50 |
--- a/grub-core/net/ip.c
|
|
|
b35c50 |
+++ b/grub-core/net/ip.c
|
|
|
b35c50 |
@@ -25,6 +25,7 @@
|
|
|
b35c50 |
#include <grub/net/netbuff.h>
|
|
|
b35c50 |
#include <grub/mm.h>
|
|
|
b35c50 |
#include <grub/priority_queue.h>
|
|
|
b35c50 |
+#include <grub/safemath.h>
|
|
|
b35c50 |
#include <grub/time.h>
|
|
|
b35c50 |
|
|
|
b35c50 |
struct iphdr {
|
|
|
b35c50 |
@@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
|
|
|
b35c50 |
{
|
|
|
b35c50 |
rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
|
|
|
b35c50 |
+ (nb->tail - nb->data));
|
|
|
b35c50 |
- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
|
|
|
b35c50 |
+
|
|
|
b35c50 |
+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
|
|
|
b35c50 |
+ &rsm->total_len))
|
|
|
b35c50 |
+ {
|
|
|
b35c50 |
+ grub_dprintf ("net", "IP reassembly size underflow\n");
|
|
|
b35c50 |
+ return GRUB_ERR_NONE;
|
|
|
b35c50 |
+ }
|
|
|
b35c50 |
+
|
|
|
b35c50 |
rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
|
|
|
b35c50 |
if (!rsm->asm_netbuff)
|
|
|
b35c50 |
{
|