From 69a54db486b6b01c50d6a43294f881cfc9906268 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@canonical.com>
Date: Tue, 24 Sep 2013 12:05:47 -0400
Subject: [PATCH] Correct limits on the length of ipv6 addresses

The maximum length of a string representation of an ipv6 address is 39
characters (8 groups of 4 hex chars, with 7 colons in between).  So don't
allocate more room than this - and more importantly, don't blindly accept
strings from the server that are longer than our buffer...
---
 netboot.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/netboot.c b/netboot.c
index ff63cde..cbbba66 100644
--- a/netboot.c
+++ b/netboot.c
@@ -227,7 +227,7 @@ static UINT8 *str2ip6(char *str)
 static BOOLEAN extract_tftp_info(CHAR8 *url)
 {
 	CHAR8 *start, *end;
-	char ip6str[128];
+	char ip6str[40];
 	CHAR8 *template = (CHAR8 *)"/grubx64.efi";
 
 	if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) {
@@ -244,12 +244,16 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
 	end = start;
 	while ((*end != '\0') && (*end != ']')) {
 		end++;
+		if (end - start > 39) {
+			Print(L"TFTP URL includes malformed IPv6 address\n");
+			return FALSE;
+		}
 	}
 	if (end == '\0') {
 		Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n");
 		return FALSE;
 	}
-	memset(ip6str, 0, 128);
+	memset(ip6str, 0, 40);
 	memcpy(ip6str, start, end - start);
 	end++;
 	memcpy(&tftp_addr.v6, str2ip6(ip6str), 16);