On Sat, Mar 05, 2022 at 12:39:04AM +1100, Daniel Axtens wrote: > GRUB netbuff structure members track 2 different things: the extent of memory > allocated for the packet, and the extent of memory currently being worked on. > > This works out in the structure as follows: > > nb->head: beginning of the allocation > nb->data: beginning of the working data > nb->tail: end of the working data > nb->end: end of the allocation > > The head and end pointers are set in grub_netbuff_alloc and do not change. > The data and tail pointers are initialised to point at start of the > allocation (that is, head == data == tail initially), and are then > manipulated by grub_netbuff_* functions. Key functions are as follows: > > - grub_netbuff_put: 'Put' more data into the packet - advance nb->tail. > - grub_netbuff_unput: trim the tail of the packet - retract nb->tail > - grub_netbuff_pull: 'consume' some packet data - advance nb->data > - grub_netbuff_reserve: reserve space for future headers - advance nb->data > and > nb->tail > - grub_netbuff_push: 'un-consume' data to allow headers to be written - > retract nb->data. > > Each of those functions does some form of error checking. For example, > grub_netbuff_put does not allow nb->tail to exceed nb->end, and > grub_netbuff_push does not allow nb->data to be before nb->head. > > However, grub_netbuff_pull's error checking is a bit weird. It advances > nb->data > and checks that it does not exceed nb->end. That allows you to get into the > situation where nb->data > nb->tail, which should not be. > > Make grub_netbuff_pull check against both nb->tail and nb->end. In theory just > checking against ->tail should be sufficient but the extra check should be > cheap and seems like good defensive practice. > > Signed-off-by: Daniel Axtens <d...@axtens.net>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel