1From b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Tue, 8 Mar 2022 19:04:40 +1100 4Subject: [PATCH] net/http: Error out on headers with LF without CR 5 6In a similar vein to the previous patch, parse_line() would write 7a NUL byte past the end of the buffer if there was an HTTP header 8with a LF rather than a CRLF. 9 10RFC-2616 says: 11 12 Many HTTP/1.1 header field values consist of words separated by LWS 13 or special characters. These special characters MUST be in a quoted 14 string to be used within a parameter value (as defined in section 3.6). 15 16We don't support quoted sections or continuation lines, etc. 17 18If we see an LF that's not part of a CRLF, bail out. 19 20Fixes: CVE-2022-28734 21 22Signed-off-by: Daniel Axtens <dja@axtens.net> 23Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 24 25Upstream-Status: Backport 26CVE: CVE-2022-28734 27 28Reference to upstream patch: 29https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 30 31Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> 32--- 33 grub-core/net/http.c | 8 ++++++++ 34 1 file changed, 8 insertions(+) 35 36diff --git a/grub-core/net/http.c b/grub-core/net/http.c 37index 33a0a28c4..9291a13e2 100644 38--- a/grub-core/net/http.c 39+++ b/grub-core/net/http.c 40@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) 41 char *end = ptr + len; 42 while (end > ptr && *(end - 1) == '\r') 43 end--; 44+ 45+ /* LF without CR. */ 46+ if (end == ptr + len) 47+ { 48+ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR")); 49+ return GRUB_ERR_NONE; 50+ } 51 *end = 0; 52+ 53 /* Trailing CRLF. */ 54 if (data->in_chunk_len == 1) 55 { 56-- 572.34.1 58 59