Daniel Axtens b26b4c08e7 net/http: Error out on headers with LF without CR ...

In a similar vein to the previous patch, parse_line() would write
a NUL byte past the end of the buffer if there was an HTTP header
with a LF rather than a CRLF.

RFC-2616 says:

  Many HTTP/1.1 header field values consist of words separated by LWS
  or special characters. These special characters MUST be in a quoted
  string to be used within a parameter value (as defined in section 3.6).

We don't support quoted sections or continuation lines, etc.

If we see an LF that's not part of a CRLF, bail out.

Fixes: CVE-2022-28734

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2022-06-07 16:39:33 +02:00

..

drivers

build: Fix -Werror=array-bounds array subscript 0 is outside array bounds

2022-04-20 18:27:52 +02:00

arp.c

net/arp: Fix uninitialized scalar variable

2022-04-04 20:28:54 +02:00

bootp.c

net/bootp: Fix uninitialized scalar variable

2022-04-04 20:28:54 +02:00

dns.c

net/dns: Don't read past the end of the string we're checking against

2022-06-07 16:39:33 +02:00

ethernet.c

net: Remove trailing whitespaces

2022-03-14 15:58:06 +01:00

http.c

net/http: Error out on headers with LF without CR

2022-06-07 16:39:33 +02:00

icmp6.c

net: Fix NULL pointer dereference when parsing ICMP6_ROUTER_ADVERTISE messages

2022-04-26 15:53:11 +02:00

icmp.c

arp, icmp: Fix handling in case of oversized or invalid packets.

2015-03-27 12:18:25 +01:00

ip.c

net/ip: Do IP fragment maths safely

2022-06-07 16:39:33 +02:00

net.c

net/tftp: Prevent a UAF and double-free from a failed seek

2022-06-07 16:39:33 +02:00

netbuff.c

net/netbuff: Block overly large netbuff allocs

2022-06-07 16:39:33 +02:00

tcp.c

net/tcp: Only call grub_get_time_ms() when there are sockets to potentially retransmit for

2022-04-04 19:59:49 +02:00

tftp.c

net/tftp: Avoid a trivial UAF

2022-06-07 16:39:33 +02:00

udp.c

net: Remove trailing whitespaces

2022-03-14 15:58:06 +01:00