[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we're checking against |
Date: |
Tue, 7 Jun 2022 19:01:28 +0200 |
From: Daniel Axtens <dja@axtens.net>
I don't really understand what's going on here but fuzzing found
a bug where we read past the end of check_with. That's a C string,
so use grub_strlen() to make sure we don't overread it.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/dns.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index 841ede51e..afa389494 100644
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -146,11 +146,18 @@ check_name_real (const grub_uint8_t *name_at, const
grub_uint8_t *head,
int *length, char *set)
{
const char *readable_ptr = check_with;
+ int readable_len;
const grub_uint8_t *ptr;
char *optr = set;
int bytes_processed = 0;
if (length)
*length = 0;
+
+ if (readable_ptr != NULL)
+ readable_len = grub_strlen (readable_ptr);
+ else
+ readable_len = 0;
+
for (ptr = name_at; ptr < tail && bytes_processed < tail - head + 2; )
{
/* End marker. */
@@ -172,13 +179,16 @@ check_name_real (const grub_uint8_t *name_at, const
grub_uint8_t *head,
ptr = head + (((ptr[0] & 0x3f) << 8) | ptr[1]);
continue;
}
- if (readable_ptr && grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0)
+ if (readable_ptr != NULL && (*ptr > readable_len || grub_memcmp (ptr +
1, readable_ptr, *ptr) != 0))
return 0;
if (grub_memchr (ptr + 1, 0, *ptr)
|| grub_memchr (ptr + 1, '.', *ptr))
return 0;
if (readable_ptr)
- readable_ptr += *ptr;
+ {
+ readable_ptr += *ptr;
+ readable_len -= *ptr;
+ }
if (readable_ptr && *readable_ptr != '.' && *readable_ptr != 0)
return 0;
bytes_processed += *ptr + 1;
@@ -192,7 +202,10 @@ check_name_real (const grub_uint8_t *name_at, const
grub_uint8_t *head,
if (optr)
*optr++ = '.';
if (readable_ptr && *readable_ptr)
- readable_ptr++;
+ {
+ readable_ptr++;
+ readable_len--;
+ }
ptr += *ptr + 1;
}
return 0;
--
2.11.0
- [SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operation fails, (continued)
- [SECURITY PATCH 11/30] video/readers/jpeg: Abort sooner if a read operation fails, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 16/30] net/ip: Do IP fragment maths safely, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 05/30] kern/file: Do not leak device_name on error in grub_file_open(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 26/30] fs/f2fs: Do not read past the end of nat bitmap, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 12/30] video/readers/jpeg: Do not reallocate a given huff table, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 03/30] loader/efi/chainloader: Use grub_loader_set_ex(), Daniel Kiper, 2022/06/07
- [SECURITY PATCH 10/30] video/readers/png: Sanity check some huffman codes, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 09/30] video/readers/png: Avoid heap OOB R/W inserting huff table items, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 07/30] video/readers/png: Refuse to handle multiple image headers, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 15/30] normal/charset: Fix array out-of-bounds formatting unicode for display, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 19/30] net/dns: Don't read past the end of the string we're checking against,
Daniel Kiper <=
- [SECURITY PATCH 25/30] fs/f2fs: Do not read past the end of nat journal entries, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 30/30] fs/btrfs: Fix more fuzz issues related to chunks, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS response, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 17/30] net/netbuff: Block overly large netbuff allocs, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 24/30] net/http: Error out on headers with LF without CR, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 08/30] video/readers/png: Drop greyscale support to fix heap out-of-bounds write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 14/30] video/readers/jpeg: Block int underflow -> wild pointer write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 27/30] fs/f2fs: Do not copy file names that are too long, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 29/30] fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing, Daniel Kiper, 2022/06/07