42b3050a74
CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733 CVE-2021-3697 CVE-2021-3696 CVE-2021-3695 Resolves: #2070688 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Tue, 8 Mar 2022 23:47:46 +1100
|
|
Subject: [PATCH] net/netbuff: Block overly large netbuff allocs
|
|
|
|
A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment
|
|
reassembly.
|
|
|
|
This helps avoid some bugs (and provides a spot to instrument to catch
|
|
them at their source).
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
(cherry picked from commit ee9591103004cd13b4efadda671536090ca7fd57)
|
|
(cherry picked from commit acde668bb9d9fa862a1a63e3bbd5fa47fdfa9183)
|
|
---
|
|
grub-core/net/netbuff.c | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c
|
|
index dbeeefe478..d5e9e9a0d7 100644
|
|
--- a/grub-core/net/netbuff.c
|
|
+++ b/grub-core/net/netbuff.c
|
|
@@ -79,10 +79,23 @@ grub_netbuff_alloc (grub_size_t len)
|
|
|
|
COMPILE_TIME_ASSERT (NETBUFF_ALIGN % sizeof (grub_properly_aligned_t) == 0);
|
|
|
|
+ /*
|
|
+ * The largest size of a TCP packet is 64 KiB, and everything else
|
|
+ * should be a lot smaller - most MTUs are 1500 or less. Cap data
|
|
+ * size at 64 KiB + a buffer.
|
|
+ */
|
|
+ if (len > 0xffffUL + 0x1000UL)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BUG,
|
|
+ "attempted to allocate a packet that is too big");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
if (len < NETBUFFMINLEN)
|
|
len = NETBUFFMINLEN;
|
|
|
|
len = ALIGN_UP (len, NETBUFF_ALIGN);
|
|
+
|
|
#ifdef GRUB_MACHINE_EMU
|
|
data = grub_malloc (len + sizeof (*nb));
|
|
#else
|