proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-08-11 21:17:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

net/ip: Do IP fragment maths safely

Browse Source 
This avoids an underflow and subsequent unpleasantness.

Fixes: CVE-2022-28733

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Daniel Axtens 2021-12-20 19:41:21 +11:00 committed by Julian Andres Klode
parent 4ea64c827f
commit 2a4f87df65
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
grub-core/net/ip.c
View File

@ -25,6 +25,7 @@
#include <grub/net/netbuff.h>
#include <grub/mm.h>
#include <grub/priority_queue.h>
#include <grub/safemath.h>
#include <grub/time.h>
struct iphdr {
@ -551,7 +552,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
{
rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+ (nb->tail - nb->data));
rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
&rsm->total_len))
{
grub_dprintf ("net", "IP reassembly size underflow\n");
return GRUB_ERR_NONE;
}
rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
if (!rsm->asm_netbuff)
{