diff options
author | Daniel Axtens <dja@axtens.net> | 2022-03-08 19:04:40 +1100 |
---|---|---|
committer | Daniel Kiper <daniel.kiper@oracle.com> | 2022-06-07 16:39:33 +0200 |
commit | b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 (patch) | |
tree | 23de7887aaae406c8275cce20c337a7bb396745d | |
parent | ec6bfd3237394c1c7dbf2fd73417173318d22f4b (diff) | |
download | grub-b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4.tar.gz |
net/http: Error out on headers with LF without CR
In a similar vein to the previous patch, parse_line() would write
a NUL byte past the end of the buffer if there was an HTTP header
with a LF rather than a CRLF.
RFC-2616 says:
Many HTTP/1.1 header field values consist of words separated by LWS
or special characters. These special characters MUST be in a quoted
string to be used within a parameter value (as defined in section 3.6).
We don't support quoted sections or continuation lines, etc.
If we see an LF that's not part of a CRLF, bail out.
Fixes: CVE-2022-28734
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-rw-r--r-- | grub-core/net/http.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/grub-core/net/http.c b/grub-core/net/http.c index 33a0a28c4..9291a13e2 100644 --- a/grub-core/net/http.c +++ b/grub-core/net/http.c @@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len) char *end = ptr + len; while (end > ptr && *(end - 1) == '\r') end--; + + /* LF without CR. */ + if (end == ptr + len) + { + data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR")); + return GRUB_ERR_NONE; + } *end = 0; + /* Trailing CRLF. */ if (data->in_chunk_len == 1) { |