CVE-2023-40547 - avoid incorrectly trusting HTTP headers

When retrieving files via HTTP or related protocols, shim attempts to
allocate a buffer to store the received data.  Unfortunately, this means
getting the size from an HTTP header, which can be manipulated to
specify a size that's smaller than the received data.  In this case, the
code accidentally uses the header for the allocation but the protocol
metadata to copy it from the rx buffer, resulting in an out-of-bounds
write.

This patch adds an additional check to test that the rx buffer is not
larger than the allocation.

Resolves: CVE-2023-40547
Reported-by: Bill Demirkapi, Microsoft Security Response Center
Signed-off-by: Peter Jones <pjones@redhat.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/httpboot.c b/httpboot.c
index dfa493bf..b34dd49c 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
 	}
 
 	if (*buf_size == 0) {
-		perror(L"Failed to get Content-Lenght\n");
+		perror(L"Failed to get Content-Length\n");
+		goto error;
+	}
+
+	if (*buf_size < rx_message.BodyLength) {
+		efi_status = EFI_BAD_BUFFER_SIZE;
+		perror(L"Invalid Content-Length\n");
 		goto error;
 	}