SHA256
1
0
forked from pool/grub2
grub2/0001-dns-fix-buffer-overflow-for-data-addresses-in-recv_h.patch

44 lines
1.5 KiB
Diff
Raw Normal View History

From 52408aa94604466bdd80f48fa8d68378a1ffab31 Mon Sep 17 00:00:00 2001
From: Andrei Borzenkov <arvidjaar@gmail.com>
Date: Tue, 26 Jul 2016 20:38:58 +0300
Subject: [PATCH] dns: fix buffer overflow for data->addresses in recv_hook
We may get more than one response before exiting out of loop in
grub_net_dns_lookup, but buffer was allocated for the first response only,
so storing answers from subsequent replies wrote past allocated size.
We never really use more than the very first address during lookup so there
is little point in collecting all of them. Just quit early if we already have
some reply.
Code needs serious redesign to actually collect multiple answers
and select the best fit according to requested type (IPv4 or IPv6).
Reported and tested by Michael Chang <mchang@suse.com>
---
grub-core/net/dns.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index 89741dd..5d9afe0 100644
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -238,6 +238,15 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
char *redirect_save = NULL;
grub_uint32_t ttl_all = ~0U;
+ /* Code apparently assumed that only one packet is received as response.
+ We may get multiple responses due to network condition, so check here
+ and quit early. */
+ if (*data->addresses)
+ {
+ grub_netbuff_free (nb);
+ return GRUB_ERR_NONE;
+ }
+
head = (struct dns_header *) nb->data;
ptr = (grub_uint8_t *) (head + 1);
if (ptr >= nb->tail)
--
2.6.6