net/netbuff: Block overly large netbuff allocs

A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment
reassembly. If we are asked to create one that is unreasonably big, refuse.

This is a hardening measure: if we hit this code, there's a bug somewhere
else that we should catch and fix.

This commit:
  - stops the bug propagating any further.
  - provides a spot to instrument in e.g. fuzzing to try to catch these bugs.

I have put instrumentation (e.g. __builtin_trap() to force a crash) here and
have not been able to find any more crashes.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c
index 72e5296356f061a941c18c5606734ea3e592004b..8da327bfd90a70c2e8a80d41779a9fae432d2020 100644 (file)
--- a/grub-core/net/netbuff.c
+++ b/grub-core/net/netbuff.c
@@ -79,10 +79,23 @@ grub_netbuff_alloc (grub_size_t len)
 
   COMPILE_TIME_ASSERT (NETBUFF_ALIGN % sizeof (grub_properly_aligned_t) == 0);
 
+  /*
+   * The largest size of a TCP packet is 64 KiB, and everything else
+   * should be a lot smaller - most MTUs are 1500 or less. Cap data
+   * size at 64 KiB + a buffer.
+   */
+  if (len > 0xffffUL + 0x1000UL)
+    {
+      grub_error (GRUB_ERR_BUG,
+                  "attempted to allocate a packet that is too big");
+      return NULL;
+    }
+
   if (len < NETBUFFMINLEN)
     len = NETBUFFMINLEN;
 
   len = ALIGN_UP (len, NETBUFF_ALIGN);
+
 #ifdef GRUB_MACHINE_EMU
   data = grub_malloc (len + sizeof (*nb));
 #else