grub2/0001-dns-fix-buffer-overflow-for-data-addresses-in-recv_h.patch

44 lines
1.5 KiB
Diff
Raw Normal View History

Accepting request 416645 from home:michael-chang:branches:Base:System - grub.default: Empty GRUB_CMDLINE_LINUX_DEFAULT, the value will be fully taken from YaST settings. (bsc#989803) - Add patches from Roberto Sassu <rsassu@suse.de> - Fix grub2-10_linux-avoid-multi-device-root-kernel-argument.patch, device path is not tested if GRUB_DISABLE_LINUX_UUID="true" - added grub2-fix-multi-device-root-kernel-argument.patch (bsc#960776) - grub2-zipl-setup: avoid multi-device root= kernel argument * added grub2-zipl-setup-fix-btrfs-multipledev.patch (bsc#960776) - Add SUSE_REMOVE_LINUX_ROOT_PARAM configuration option to /etc/default/grub, to remove root= and rootflags= from the kernel command line in /boot/grub2/grub.cfg and /boot/zipl/config - added grub2-suse-remove-linux-root-param.patch (bsc#962585) - Support HTTP Boot IPv4 and IPv6 (fate#320129) * 0001-misc-fix-invalid-character-recongition-in-strto-l.patch * 0002-net-read-bracketed-ipv6-addrs-and-port-numbers.patch * 0003-bootp-New-net_bootp6-command.patch * 0004-efinet-UEFI-IPv6-PXE-support.patch * 0005-grub.texi-Add-net_bootp6-doument.patch * 0006-bootp-Add-processing-DHCPACK-packet-from-HTTP-Boot.patch * 0007-efinet-Setting-network-from-UEFI-device-path.patch * 0008-efinet-Setting-DNS-server-from-UEFI-protocol.patch - Fix heap corruption after dns lookup * 0001-dns-fix-buffer-overflow-for-data-addresses-in-recv_h.patch OBS-URL: https://build.opensuse.org/request/show/416645 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=224
2016-08-05 09:32:20 +02:00
From 52408aa94604466bdd80f48fa8d68378a1ffab31 Mon Sep 17 00:00:00 2001
From: Andrei Borzenkov <arvidjaar@gmail.com>
Date: Tue, 26 Jul 2016 20:38:58 +0300
Subject: [PATCH] dns: fix buffer overflow for data->addresses in recv_hook
We may get more than one response before exiting out of loop in
grub_net_dns_lookup, but buffer was allocated for the first response only,
so storing answers from subsequent replies wrote past allocated size.
We never really use more than the very first address during lookup so there
is little point in collecting all of them. Just quit early if we already have
some reply.
Code needs serious redesign to actually collect multiple answers
and select the best fit according to requested type (IPv4 or IPv6).
Reported and tested by Michael Chang <mchang@suse.com>
---
grub-core/net/dns.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index 89741dd..5d9afe0 100644
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -238,6 +238,15 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
char *redirect_save = NULL;
grub_uint32_t ttl_all = ~0U;
+ /* Code apparently assumed that only one packet is received as response.
+ We may get multiple responses due to network condition, so check here
+ and quit early. */
+ if (*data->addresses)
+ {
+ grub_netbuff_free (nb);
+ return GRUB_ERR_NONE;
+ }
+
head = (struct dns_header *) nb->data;
ptr = (grub_uint8_t *) (head + 1);
if (ptr >= nb->tail)
--
2.6.6