| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- From 2974684d2f7f85a5c57af8155cc3b70c04ec1d6b Mon Sep 17 00:00:00 2001
- From: Daniel Axtens <dja@axtens.net>
- Date: Tue, 8 Mar 2022 19:04:40 +1100
- Subject: [PATCH] net/http: Error out on headers with LF without CR
- In a similar vein to the previous patch, parse_line() would write
- a NUL byte past the end of the buffer if there was an HTTP header
- with a LF rather than a CRLF.
- RFC-2616 says:
- Many HTTP/1.1 header field values consist of words separated by LWS
- or special characters. These special characters MUST be in a quoted
- string to be used within a parameter value (as defined in section 3.6).
- We don't support quoted sections or continuation lines, etc.
- If we see an LF that's not part of a CRLF, bail out.
- Fixes: CVE-2022-28734
- Signed-off-by: Daniel Axtens <dja@axtens.net>
- Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- Upstream: b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4
- Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- ---
- grub-core/net/http.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
- diff --git a/grub-core/net/http.c b/grub-core/net/http.c
- index a19b0a205..1fa62b5cb 100644
- --- a/grub-core/net/http.c
- +++ b/grub-core/net/http.c
- @@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
- char *end = ptr + len;
- while (end > ptr && *(end - 1) == '\r')
- end--;
- +
- + /* LF without CR. */
- + if (end == ptr + len)
- + {
- + data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
- + return GRUB_ERR_NONE;
- + }
- *end = 0;
- +
- /* Trailing CRLF. */
- if (data->in_chunk_len == 1)
- {
- --
- 2.41.0
|
