1*4882a593SmuzhiyunFrom b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net> 3*4882a593SmuzhiyunDate: Tue, 8 Mar 2022 19:04:40 +1100 4*4882a593SmuzhiyunSubject: [PATCH] net/http: Error out on headers with LF without CR 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunIn a similar vein to the previous patch, parse_line() would write 7*4882a593Smuzhiyuna NUL byte past the end of the buffer if there was an HTTP header 8*4882a593Smuzhiyunwith a LF rather than a CRLF. 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunRFC-2616 says: 11*4882a593Smuzhiyun 12*4882a593Smuzhiyun Many HTTP/1.1 header field values consist of words separated by LWS 13*4882a593Smuzhiyun or special characters. These special characters MUST be in a quoted 14*4882a593Smuzhiyun string to be used within a parameter value (as defined in section 3.6). 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunWe don't support quoted sections or continuation lines, etc. 17*4882a593Smuzhiyun 18*4882a593SmuzhiyunIf we see an LF that's not part of a CRLF, bail out. 19*4882a593Smuzhiyun 20*4882a593SmuzhiyunFixes: CVE-2022-28734 21*4882a593Smuzhiyun 22*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net> 23*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 24*4882a593Smuzhiyun 25*4882a593SmuzhiyunUpstream-Status: Backport 26*4882a593SmuzhiyunCVE: CVE-2022-28734 27*4882a593Smuzhiyun 28*4882a593SmuzhiyunReference to upstream patch: 29*4882a593Smuzhiyunhttps://git.savannah.gnu.org/cgit/grub.git/commit/?id=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 30*4882a593Smuzhiyun 31*4882a593SmuzhiyunSigned-off-by: Yongxin Liu <yongxin.liu@windriver.com> 32*4882a593Smuzhiyun--- 33*4882a593Smuzhiyun grub-core/net/http.c | 8 ++++++++ 34*4882a593Smuzhiyun 1 file changed, 8 insertions(+) 35*4882a593Smuzhiyun 36*4882a593Smuzhiyundiff --git a/grub-core/net/http.c b/grub-core/net/http.c 37*4882a593Smuzhiyunindex 33a0a28c4..9291a13e2 100644 38*4882a593Smuzhiyun--- a/grub-core/net/http.c 39*4882a593Smuzhiyun+++ b/grub-core/net/http.c 40*4882a593Smuzhiyun@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) 41*4882a593Smuzhiyun char *end = ptr + len; 42*4882a593Smuzhiyun while (end > ptr && *(end - 1) == '\r') 43*4882a593Smuzhiyun end--; 44*4882a593Smuzhiyun+ 45*4882a593Smuzhiyun+ /* LF without CR. */ 46*4882a593Smuzhiyun+ if (end == ptr + len) 47*4882a593Smuzhiyun+ { 48*4882a593Smuzhiyun+ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR")); 49*4882a593Smuzhiyun+ return GRUB_ERR_NONE; 50*4882a593Smuzhiyun+ } 51*4882a593Smuzhiyun *end = 0; 52*4882a593Smuzhiyun+ 53*4882a593Smuzhiyun /* Trailing CRLF. */ 54*4882a593Smuzhiyun if (data->in_chunk_len == 1) 55*4882a593Smuzhiyun { 56*4882a593Smuzhiyun-- 57*4882a593Smuzhiyun2.34.1 58*4882a593Smuzhiyun 59