diff options
| author | Daniel Axtens <dja@axtens.net> | 2022-03-05 00:39:04 +1100 |
|---|---|---|
| committer | Daniel Kiper <daniel.kiper@oracle.com> | 2022-03-14 23:05:00 +0100 |
| commit | e976dc27f88968bc768224fd8102a508a3a39383 (patch) | |
| tree | 195cbcae2f59e70cd2c9f635262f2b2da1f6fe60 | |
| parent | a385f10480ecf8a39612b7e12fd28c7349702041 (diff) | |
| download | grub-e976dc27f88968bc768224fd8102a508a3a39383.tar.gz | |
net: Check against nb->tail in grub_netbuff_pull()
GRUB netbuff structure members track 2 different things: the extent of memory
allocated for the packet, and the extent of memory currently being worked on.
This works out in the structure as follows:
nb->head: beginning of the allocation
nb->data: beginning of the working data
nb->tail: end of the working data
nb->end: end of the allocation
The head and end pointers are set in grub_netbuff_alloc() and do not change.
The data and tail pointers are initialised to point at start of the
allocation (that is, head == data == tail initially), and are then
manipulated by grub_netbuff_*() functions. Key functions are as follows:
- grub_netbuff_put(): "put" more data into the packet - advance nb->tail
- grub_netbuff_unput(): trim the tail of the packet - retract nb->tail
- grub_netbuff_pull(): "consume" some packet data - advance nb->data
- grub_netbuff_reserve(): reserve space for future headers - advance nb->data and nb->tail
- grub_netbuff_push(): "un-consume" data to allow headers to be written - retract nb->data
Each of those functions does some form of error checking. For example,
grub_netbuff_put() does not allow nb->tail to exceed nb->end, and
grub_netbuff_push() does not allow nb->data to be before nb->head.
However, grub_netbuff_pull()'s error checking is a bit weird. It advances nb->data
and checks that it does not exceed nb->end. That allows you to get into the
situation where nb->data > nb->tail, which should not be.
Make grub_netbuff_pull() check against both nb->tail and nb->end. In theory just
checking against ->tail should be sufficient but the extra check should be
cheap and seems like good defensive practice.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
| -rw-r--r-- | grub-core/net/netbuff.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c index dbeeefe47..72e529635 100644 --- a/grub-core/net/netbuff.c +++ b/grub-core/net/netbuff.c @@ -54,7 +54,7 @@ grub_err_t grub_netbuff_pull (struct grub_net_buff *nb, grub_size_t len) { nb->data += len; - if (nb->data > nb->end) + if (nb->data > nb->end || nb->data > nb->tail) return grub_error (GRUB_ERR_BUG, "pull out of the packet range."); return GRUB_ERR_NONE; |