代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/shim 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 0226b56513b2b8bd5fd281bce77c40c9bf07c66d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 2 Aug 2023 14:19:31 -0400
Subject: [PATCH] CVE-2023-40547 - avoid incorrectly trusting HTTP headers
When retrieving files via HTTP or related protocols, shim attempts to
allocate a buffer to store the received data. Unfortunately, this means
getting the size from an HTTP header, which can be manipulated to
specify a size that's smaller than the received data. In this case, the
code accidentally uses the header for the allocation but the protocol
metadata to copy it from the rx buffer, resulting in an out-of-bounds
write.
This patch adds an additional check to test that the rx buffer is not
larger than the allocation.
Resolves: CVE-2023-40547
Reported-by: Bill Demirkapi, Microsoft Security Response Center
Signed-off-by: Peter Jones <pjones@redhat.com>
---
httpboot.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/httpboot.c b/httpboot.c
index dfa493b..b34dd49 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
}
if (*buf_size == 0) {
- perror(L"Failed to get Content-Lenght\n");
+ perror(L"Failed to get Content-Length\n");
+ goto error;
+ }
+
+ if (*buf_size < rx_message.BodyLength) {
+ efi_status = EFI_BAD_BUFFER_SIZE;
+ perror(L"Invalid Content-Length\n");
goto error;
}
--
2.33.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。