1 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch
new file mode 100644
index 0000000000..f31167d315
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch
@@ -0,0 +1,58 @@
+From b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 8 Mar 2022 19:04:40 +1100
+Subject: [PATCH] net/http: Error out on headers with LF without CR
+In a similar vein to the previous patch, parse_line() would write
+a NUL byte past the end of the buffer if there was an HTTP header
+with a LF rather than a CRLF.
+RFC-2616 says:
+  Many HTTP/1.1 header field values consist of words separated by LWS
+  or special characters. These special characters MUST be in a quoted
+  string to be used within a parameter value (as defined in section 3.6).
+We don't support quoted sections or continuation lines, etc.
+If we see an LF that's not part of a CRLF, bail out.
+Fixes: CVE-2022-28734
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport
+CVE: CVE-2022-28734
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/net/http.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 33a0a28c4..9291a13e2 100644
+--- a/grub-core/net/http.c
+++ b/grub-core/net/http.c
+@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+   char *end = ptr + len;
+   while (end > ptr && *(end - 1) == '\r')
+     end--;
+
+  /* LF without CR. */
+  if (end == ptr + len)
+    {
+      data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
+      return GRUB_ERR_NONE;
+    }
+   *end = 0;
+
+   /* Trailing CRLF.  */
+   if (data->in_chunk_len == 1)
+     {
+-- 
+2.34.1

diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch new file mode 100644 index 0000000000..f31167d315 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch
@@ -0,0 +1,58 @@
	1	From b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4 Mon Sep 17 00:00:00 2001
	2	From: Daniel Axtens <dja@axtens.net>
	3	Date: Tue, 8 Mar 2022 19:04:40 +1100
	4	Subject: [PATCH] net/http: Error out on headers with LF without CR
	5
	6	In a similar vein to the previous patch, parse_line() would write
	7	a NUL byte past the end of the buffer if there was an HTTP header
	8	with a LF rather than a CRLF.
	9
	10	RFC-2616 says:
	11
	12	Many HTTP/1.1 header field values consist of words separated by LWS
	13	or special characters. These special characters MUST be in a quoted
	14	string to be used within a parameter value (as defined in section 3.6).
	15
	16	We don't support quoted sections or continuation lines, etc.
	17
	18	If we see an LF that's not part of a CRLF, bail out.
	19
	20	Fixes: CVE-2022-28734
	21
	22	Signed-off-by: Daniel Axtens <dja@axtens.net>
	23	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	24
	25	Upstream-Status: Backport
	26	CVE: CVE-2022-28734
	27
	28	Reference to upstream patch:
	29	https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4
	30
	31	Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
	32	---
	33	grub-core/net/http.c \| 8 ++++++++
	34	1 file changed, 8 insertions(+)
	35
	36	diff --git a/grub-core/net/http.c b/grub-core/net/http.c
	37	index 33a0a28c4..9291a13e2 100644
	38	--- a/grub-core/net/http.c
	39	+++ b/grub-core/net/http.c
	40	@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
	41	char *end = ptr + len;
	42	while (end > ptr && *(end - 1) == '\r')
	43	end--;
	44	+
	45	+ /* LF without CR. */
	46	+ if (end == ptr + len)
	47	+ {
	48	+ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
	49	+ return GRUB_ERR_NONE;
	50	+ }
	51	*end = 0;
	52	+
	53	/* Trailing CRLF. */
	54	if (data->in_chunk_len == 1)
	55	{
	56	--
	57	2.34.1
	58