From 572cd24c4971c713f5fe06df55a8d78c3553c4ed Mon Sep 17 00:00:00 2001 From: Jiping Ma Date: Tue, 31 Aug 2021 20:07:04 -0700 Subject: [PATCH] tftp: roll over block counter to prevent timeouts with data packets The block number is a 16-bit counter which only allows to fetch files no bigger than 65535 * blksize. To avoid this limit, the counter is rolled over. This behavior isn't defined in RFC 1350 but is handled by many TFTP servers and it's what GRUB was doing before implicitly due an overflow. Closes-Bug: #1938559 Signed-off-by: Jiping Ma Change-Id: I4a0c04cf15b87f6f40c7a979d20fb3c57657cefd --- ...lock-counter-to-prevent-timeouts-wit.patch | 23 ++++++++++ grub/grub2/centos/meta_patches/PATCH_ORDER | 1 + ...lock-counter-to-prevent-timeouts-wit.patch | 45 +++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 grub/grub2/centos/meta_patches/0013-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch create mode 100644 grub/grub2/centos/patches/1003-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch diff --git a/grub/grub2/centos/meta_patches/0013-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch b/grub/grub2/centos/meta_patches/0013-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch new file mode 100644 index 000000000..4165b928f --- /dev/null +++ b/grub/grub2/centos/meta_patches/0013-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch @@ -0,0 +1,23 @@ +From cff7cf7787b4619a7cbbe5ccbbfeced54999ad70 Mon Sep 17 00:00:00 2001 +From: jma1 +Date: Mon, 30 Aug 2021 06:27:13 +0000 +Subject: [PATCH] tftp: roll over block counter to prevent timeouts with data + +Signed-off-by: Jiping Ma +--- + grub.patches | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub.patches b/grub.patches +index 678ba4b..ece014a 100644 +--- a/SOURCES/grub.patches ++++ b/SOURCES/grub.patches +@@ -335,4 +335,5 @@ Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch + Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch + Patch1001: 1001-add-tboot.patch + Patch1002: 1002-Don-t-write-trailing-colon-when-populating-MAC-strin.patch ++Patch1003: 1003-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch + +-- +2.29.2 + diff --git a/grub/grub2/centos/meta_patches/PATCH_ORDER b/grub/grub2/centos/meta_patches/PATCH_ORDER index db291d19a..542fa1763 100644 --- a/grub/grub2/centos/meta_patches/PATCH_ORDER +++ b/grub/grub2/centos/meta_patches/PATCH_ORDER @@ -9,3 +9,4 @@ 0010-grub2-add-tboot.patch 0011-grub2-fix-str-for-6B-macs.patch 0012-grub2-Don-t-strip-img-files-from-non-EFI-build.patch +0013-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch diff --git a/grub/grub2/centos/patches/1003-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch b/grub/grub2/centos/patches/1003-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch new file mode 100644 index 000000000..b31c7765c --- /dev/null +++ b/grub/grub2/centos/patches/1003-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch @@ -0,0 +1,45 @@ +From 250304ce7a6f31e3999d128183fe299b99ec95aa Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 24 Aug 2020 14:46:27 +0200 +Subject: [PATCH] tftp: roll over block counter to prevent timeouts with data + packets + +The block number is a 16-bit counter which only allows to fetch +files no bigger than 65535 * blksize. To avoid this limit, the +counter is rolled over. This behavior isn't defined in RFC 1350 +but is handled by many TFTP servers and it's what GRUB was doing +before implicitly due an overflow. + +Suggested-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Jiping Ma +--- + grub-core/net/tftp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c +index 79c16f9..eab9ab7 100644 +--- a/grub-core/net/tftp.c ++++ b/grub-core/net/tftp.c +@@ -183,8 +183,16 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), + return GRUB_ERR_NONE; + } + +- /* Ack old/retransmitted block. */ +- if (grub_be_to_cpu16 (tftph->u.data.block) < data->block + 1) ++ /* ++ * Ack old/retransmitted block. ++ * ++ * The block number is a 16-bit counter which only allows to fetch ++ * files no bigger than 65535 * blksize. To avoid this limit, the ++ * counter is rolled over. This behavior isn't defined in RFC 1350 ++ * but is handled by many TFTP servers and it's what GRUB was doing ++ * before implicitly due an overflow. ++ */ ++ if (grub_be_to_cpu16 (tftph->u.data.block) < ((data->block + 1) & 0xffffu)) + ack (data, grub_be_to_cpu16 (tftph->u.data.block)); + /* Ignore unexpected block. */ + else if (grub_be_to_cpu16 (tftph->u.data.block) > data->block + 1) +-- +2.31.1 +