git.ipfire.org Git - thirdparty/grub.git/commit

author	B Horn <b@horn.uk>
	Fri, 15 Nov 2024 13:12:09 +0000 (13:12 +0000)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Thu, 13 Feb 2025 14:44:58 +0000 (15:44 +0100)
commit	5eef88152833062a3f7e017535372d64ac8ef7e1
tree	b504fa14b3f23a4123f9e90b353d7acbaa882404	tree
parent	aa8b4d7facef7b75a2703274b1b9d4e0e734c401	commit \| diff

net: Fix OOB write in grub_net_search_config_file()

The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().

Fixes: CVE-2025-0624
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/net/net.c		diff \| blob \| blame \| history
grub-core/normal/main.c		diff \| blob \| blame \| history
include/grub/net.h		diff \| blob \| blame \| history