CVE-2023-40547 - avoid incorrectly trusting HTTP headers

When retrieving files via HTTP or related protocols, shim attempts to allocate a buffer to store the received data. Unfortunately, this means getting the size from an HTTP header, which can be manipulated to specify a size that's smaller than the received data. In this case, the code accidentally uses the header for the allocation but the protocol metadata to copy it from the rx buffer, resulting in an out-of-bounds write. This patch adds an additional check to test that the rx buffer is not larger than the allocation. Resolves: CVE-2023-40547 Reported-by: Bill Demirkapi, Microsoft Security Response Center Signed-off-by: Peter Jones <pjones@redhat.com>
rhboot · Dec 5, 2023 · 0226b56 · 0226b56 · tail-call · Jan 26, 2024
1 parent e801b0d
commit 0226b56
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/httpboot.c b/httpboot.c
@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
 	}
 
 	if (*buf_size == 0) {
-		perror(L"Failed to get Content-Lenght\n");
+		perror(L"Failed to get Content-Length\n");
+		goto error;
+	}
+
+	if (*buf_size < rx_message.BodyLength) {
+		efi_status = EFI_BAD_BUFFER_SIZE;
+		perror(L"Invalid Content-Length\n");
 		goto error;
 	}