1From ec6bfd3237394c1c7dbf2fd73417173318d22f4b Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Tue, 8 Mar 2022 18:17:03 +1100 4Subject: [PATCH] net/http: Fix OOB write for split http headers 5 6GRUB has special code for handling an http header that is split 7across two packets. 8 9The code tracks the end of line by looking for a "\n" byte. The 10code for split headers has always advanced the pointer just past the 11end of the line, whereas the code that handles unsplit headers does 12not advance the pointer. This extra advance causes the length to be 13one greater, which breaks an assumption in parse_line(), leading to 14it writing a NUL byte one byte past the end of the buffer where we 15reconstruct the line from the two packets. 16 17It's conceivable that an attacker controlled set of packets could 18cause this to zero out the first byte of the "next" pointer of the 19grub_mm_region structure following the current_line buffer. 20 21Do not advance the pointer in the split header case. 22 23Fixes: CVE-2022-28734 24 25Signed-off-by: Daniel Axtens <dja@axtens.net> 26Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 27 28Upstream-Status: Backport 29CVE: CVE-2022-28734 30 31Reference to upstream patch: 32https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ec6bfd3237394c1c7dbf2fd73417173318d22f4b 33 34Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> 35--- 36 grub-core/net/http.c | 4 +--- 37 1 file changed, 1 insertion(+), 3 deletions(-) 38 39diff --git a/grub-core/net/http.c b/grub-core/net/http.c 40index f8d7bf0cd..33a0a28c4 100644 41--- a/grub-core/net/http.c 42+++ b/grub-core/net/http.c 43@@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)), 44 int have_line = 1; 45 char *t; 46 ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data); 47- if (ptr) 48- ptr++; 49- else 50+ if (ptr == NULL) 51 { 52 have_line = 0; 53 ptr = (char *) nb->tail; 54-- 552.34.1 56 57