From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel@lists.01.org
Cc: Jiaxin Wu <jiaxin.wu@intel.com>, Siyuan Fu <siyuan.fu@intel.com>
Subject: [PATCH v2 3/9] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList
Date: Wed, 11 Apr 2018 12:42:41 +0200 [thread overview]
Message-ID: <20180411104247.3758-4-lersek@redhat.com> (raw)
In-Reply-To: <20180411104247.3758-1-lersek@redhat.com>
TlsSetSessionData() shouldn't just ignore an incomplete EFI_TLS_CIPHER
element at the end of "Data":
- Generally speaking, malformed input for a security API is best rejected
explicitly.
- Specifically speaking, the size of EFI_TLS_CIPHER is 2 bytes. If
DataSize is 1 on input, then the initial check for (DataSize == 0) will
fail, but then TlsSetCipherList() will be called with CipherNum=0.
Return EFI_INVALID_PARAMETER from TlsSetSessionData() if "Data" doesn't
contain a whole number of EFI_TLS_CIPHER elements. While at it, introduce
the dedicated variable CipherCount.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
---
Notes:
v2:
- pick up Siyuan's R-b
NetworkPkg/TlsDxe/TlsProtocol.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtocol.c
index ad4c922c60bd..a5f95a098345 100644
--- a/NetworkPkg/TlsDxe/TlsProtocol.c
+++ b/NetworkPkg/TlsDxe/TlsProtocol.c
@@ -35,12 +35,13 @@ EFI_TLS_PROTOCOL mTlsProtocol = {
@retval EFI_SUCCESS The TLS session data is set successfully.
@retval EFI_INVALID_PARAMETER One or more of the following conditions is TRUE:
This is NULL.
Data is NULL.
DataSize is 0.
+ DataSize is invalid for DataType.
@retval EFI_UNSUPPORTED The DataType is unsupported.
@retval EFI_ACCESS_DENIED If the DataType is one of below:
EfiTlsClientRandom
EfiTlsServerRandom
EfiTlsKeyMaterial
@retval EFI_NOT_READY Current TLS session state is NOT
@@ -56,12 +57,13 @@ TlsSetSessionData (
IN UINTN DataSize
)
{
EFI_STATUS Status;
TLS_INSTANCE *Instance;
UINT16 *CipherId;
+ UINTN CipherCount;
UINTN Index;
EFI_TPL OldTpl;
Status = EFI_SUCCESS;
CipherId = NULL;
@@ -97,23 +99,29 @@ TlsSetSessionData (
goto ON_EXIT;
}
Status = TlsSetConnectionEnd (Instance->TlsConn, *((EFI_TLS_CONNECTION_END *) Data));
break;
case EfiTlsCipherList:
+ if (DataSize % sizeof (EFI_TLS_CIPHER) != 0) {
+ Status = EFI_INVALID_PARAMETER;
+ goto ON_EXIT;
+ }
+
CipherId = AllocatePool (DataSize);
if (CipherId == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
- for (Index = 0; Index < DataSize / sizeof (EFI_TLS_CIPHER); Index++) {
+ CipherCount = DataSize / sizeof (EFI_TLS_CIPHER);
+ for (Index = 0; Index < CipherCount; Index++) {
*(CipherId +Index) = HTONS (*(((UINT16 *) Data) + Index));
}
- Status = TlsSetCipherList (Instance->TlsConn, CipherId, DataSize / sizeof (EFI_TLS_CIPHER));
+ Status = TlsSetCipherList (Instance->TlsConn, CipherId, CipherCount);
FreePool (CipherId);
break;
case EfiTlsCompressionMethod:
//
// TLS seems only define one CompressionMethod.null, which specifies that data exchanged via the
--
2.14.1.3.gb7cf6e02401b
next prev parent reply other threads:[~2018-04-11 10:42 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-11 10:42 [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot Laszlo Ersek
2018-04-12 7:08 ` Gary Lin
2018-04-12 8:49 ` Laszlo Ersek
2018-04-12 9:10 ` Gary Lin
2018-04-12 9:43 ` Laszlo Ersek
2018-04-12 10:17 ` Gary Lin
2018-04-12 17:10 ` Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 2/9] MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC Laszlo Ersek
2018-04-11 10:42 ` Laszlo Ersek [this message]
2018-04-11 10:42 ` [PATCH v2 4/9] NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 5/9] CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 6/9] CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 7/9] CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 8/9] CryptoPkg/TlsLib: sanitize lib classes in internal header and INF Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 9/9] CryptoPkg/TlsLib: rewrite TlsSetCipherList() Laszlo Ersek
2018-04-12 6:32 ` [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Long, Qin
2018-04-12 8:51 ` Laszlo Ersek
2018-04-12 7:28 ` Wu, Jiaxin
2018-04-12 8:50 ` Laszlo Ersek
2018-04-13 12:10 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180411104247.3758-4-lersek@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox