46 lines
1.4 KiB
Diff
46 lines
1.4 KiB
Diff
From 0226b56513b2b8bd5fd281bce77c40c9bf07c66d Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Wed, 2 Aug 2023 14:19:31 -0400
|
|
Subject: [PATCH] CVE-2023-40547 - avoid incorrectly trusting HTTP headers
|
|
|
|
When retrieving files via HTTP or related protocols, shim attempts to
|
|
allocate a buffer to store the received data. Unfortunately, this means
|
|
getting the size from an HTTP header, which can be manipulated to
|
|
specify a size that's smaller than the received data. In this case, the
|
|
code accidentally uses the header for the allocation but the protocol
|
|
metadata to copy it from the rx buffer, resulting in an out-of-bounds
|
|
write.
|
|
|
|
This patch adds an additional check to test that the rx buffer is not
|
|
larger than the allocation.
|
|
|
|
Resolves: CVE-2023-40547
|
|
Reported-by: Bill Demirkapi, Microsoft Security Response Center
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
---
|
|
httpboot.c | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/httpboot.c b/httpboot.c
|
|
index dfa493b..b34dd49 100644
|
|
--- a/httpboot.c
|
|
+++ b/httpboot.c
|
|
@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
|
|
}
|
|
|
|
if (*buf_size == 0) {
|
|
- perror(L"Failed to get Content-Lenght\n");
|
|
+ perror(L"Failed to get Content-Length\n");
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
+ if (*buf_size < rx_message.BodyLength) {
|
|
+ efi_status = EFI_BAD_BUFFER_SIZE;
|
|
+ perror(L"Invalid Content-Length\n");
|
|
goto error;
|
|
}
|
|
|
|
--
|
|
2.33.0
|
|
|