加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
backport-CVE-2023-40547-avoid-incorrectly-trusting-HTTP-heade.patch 1.43 KB
一键复制 编辑 原始数据 按行查看 历史
From 0226b56513b2b8bd5fd281bce77c40c9bf07c66d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 2 Aug 2023 14:19:31 -0400
Subject: [PATCH] CVE-2023-40547 - avoid incorrectly trusting HTTP headers
When retrieving files via HTTP or related protocols, shim attempts to
allocate a buffer to store the received data. Unfortunately, this means
getting the size from an HTTP header, which can be manipulated to
specify a size that's smaller than the received data. In this case, the
code accidentally uses the header for the allocation but the protocol
metadata to copy it from the rx buffer, resulting in an out-of-bounds
write.
This patch adds an additional check to test that the rx buffer is not
larger than the allocation.
Resolves: CVE-2023-40547
Reported-by: Bill Demirkapi, Microsoft Security Response Center
Signed-off-by: Peter Jones <pjones@redhat.com>
---
httpboot.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/httpboot.c b/httpboot.c
index dfa493b..b34dd49 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
}
if (*buf_size == 0) {
- perror(L"Failed to get Content-Lenght\n");
+ perror(L"Failed to get Content-Length\n");
+ goto error;
+ }
+
+ if (*buf_size < rx_message.BodyLength) {
+ efi_status = EFI_BAD_BUFFER_SIZE;
+ perror(L"Invalid Content-Length\n");
goto error;
}
--
2.33.0
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化