From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B517B81EC7 for ; Tue, 15 Nov 2016 21:38:43 -0800 (PST) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga104.jf.intel.com with ESMTP; 15 Nov 2016 21:38:48 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,646,1473145200"; d="scan'208";a="1085856269" Received: from sfu5-mobl3.ccr.corp.intel.com ([10.239.194.23]) by fmsmga002.fm.intel.com with ESMTP; 15 Nov 2016 21:38:47 -0800 From: Fu Siyuan To: edk2-devel@lists.01.org Cc: Ye Ting , Wu Jiaxin Date: Wed, 16 Nov 2016 13:38:42 +0800 Message-Id: <1479274723-9468-2-git-send-email-siyuan.fu@intel.com> X-Mailer: git-send-email 2.7.4.windows.1 In-Reply-To: <1479274723-9468-1-git-send-email-siyuan.fu@intel.com> References: <1479274723-9468-1-git-send-email-siyuan.fu@intel.com> Subject: [Patch 1/2] MdeModulePkg: Check for the max DHCP packet length before use it. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2016 05:38:43 -0000 This patch updates the PXE driver to drop the input DHCP packet if it exceed the maximum length. Cc: Ye Ting Cc: Wu Jiaxin Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Fu Siyuan --- .../Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c | 23 ++++++++++++++++++++++ .../Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c index eac955c..f03176b 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c @@ -912,6 +912,14 @@ PxeBcDhcpCallBack ( case Dhcp4SendDiscover: case Dhcp4SendRequest: + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // If the to be sent packet exceeds the maximum length, abort the DHCP process. + // + Status = EFI_ABORTED; + break; + } + if (Mode->SendGUID) { // // send the system GUID instead of the MAC address as the hardware address @@ -942,6 +950,13 @@ PxeBcDhcpCallBack ( case Dhcp4RcvdOffer: Status = EFI_NOT_READY; + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // Ignore the incoming Offers which exceed the maximum length. + // + break; + } + if (Private->NumOffers < PXEBC_MAX_OFFER_NUM) { // // Cache the dhcp offers in Private->Dhcp4Offers[] @@ -967,6 +982,14 @@ PxeBcDhcpCallBack ( break; case Dhcp4RcvdAck: + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // Abort the DHCP if the ACK packet exceeds the maximum length. + // + Status = EFI_ABORTED; + break; + } + // // Cache Ack // diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h index abdf05d..614ea75 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h @@ -18,7 +18,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define PXEBC_DHCP4_MAX_OPTION_NUM 16 #define PXEBC_DHCP4_MAX_OPTION_SIZE 312 -#define PXEBC_DHCP4_MAX_PACKET_SIZE 1472 +#define PXEBC_DHCP4_MAX_PACKET_SIZE (sizeof (EFI_PXE_BASE_CODE_PACKET)) #define PXEBC_DHCP4_S_PORT 67 #define PXEBC_DHCP4_C_PORT 68 -- 2.7.4.windows.1