grub2/0257-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
Robbie Harwood 42b3050a74 CVE fixes for 2022-05-24
CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
Resolves: #2070688

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-06-03 14:09:47 -04:00

44 lines
1.6 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Tue, 1 Mar 2022 23:14:15 +1100
Subject: [PATCH] net/http: Do not tear down socket if it's already been torn
down
It's possible for data->sock to get torn down in tcp error handling.
If we unconditionally tear it down again we will end up doing writes
to an offset of the NULL pointer when we go to tear it down again.
Detect if it has been torn down and don't do it again.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
(cherry picked from commit ec233d3ecf995293304de443579aab5c46c49e85)
(cherry picked from commit d39cf87ed701b9f0900daed7f672e07994d37ce8)
---
grub-core/net/http.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
index 7f878b5615..19cb8768e3 100644
--- a/grub-core/net/http.c
+++ b/grub-core/net/http.c
@@ -427,7 +427,7 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial)
return err;
}
- for (i = 0; !data->headers_recv && i < 100; i++)
+ for (i = 0; data->sock && !data->headers_recv && i < 100; i++)
{
grub_net_tcp_retransmit ();
grub_net_poll_cards (300, &data->headers_recv);
@@ -435,7 +435,8 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial)
if (!data->headers_recv)
{
- grub_net_tcp_close (data->sock, GRUB_NET_TCP_ABORT);
+ if (data->sock)
+ grub_net_tcp_close (data->sock, GRUB_NET_TCP_ABORT);
if (data->err)
{
char *str = data->errmsg;