forked from pool/grub2
a2141f8610
1 OBS-URL: https://build.opensuse.org/request/show/417037 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=140
44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
From 52408aa94604466bdd80f48fa8d68378a1ffab31 Mon Sep 17 00:00:00 2001
|
|
From: Andrei Borzenkov <arvidjaar@gmail.com>
|
|
Date: Tue, 26 Jul 2016 20:38:58 +0300
|
|
Subject: [PATCH] dns: fix buffer overflow for data->addresses in recv_hook
|
|
|
|
We may get more than one response before exiting out of loop in
|
|
grub_net_dns_lookup, but buffer was allocated for the first response only,
|
|
so storing answers from subsequent replies wrote past allocated size.
|
|
We never really use more than the very first address during lookup so there
|
|
is little point in collecting all of them. Just quit early if we already have
|
|
some reply.
|
|
|
|
Code needs serious redesign to actually collect multiple answers
|
|
and select the best fit according to requested type (IPv4 or IPv6).
|
|
|
|
Reported and tested by Michael Chang <mchang@suse.com>
|
|
---
|
|
grub-core/net/dns.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
|
|
index 89741dd..5d9afe0 100644
|
|
--- a/grub-core/net/dns.c
|
|
+++ b/grub-core/net/dns.c
|
|
@@ -238,6 +238,15 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
|
|
char *redirect_save = NULL;
|
|
grub_uint32_t ttl_all = ~0U;
|
|
|
|
+ /* Code apparently assumed that only one packet is received as response.
|
|
+ We may get multiple responses due to network condition, so check here
|
|
+ and quit early. */
|
|
+ if (*data->addresses)
|
|
+ {
|
|
+ grub_netbuff_free (nb);
|
|
+ return GRUB_ERR_NONE;
|
|
+ }
|
|
+
|
|
head = (struct dns_header *) nb->data;
|
|
ptr = (grub_uint8_t *) (head + 1);
|
|
if (ptr >= nb->tail)
|
|
--
|
|
2.6.6
|
|
|