From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com;
 receiver=edk2-devel@lists.01.org 
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 729A22265A34C
 for <edk2-devel@lists.01.org>; Wed, 11 Apr 2018 03:42:56 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
 [10.11.54.4])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 788D28DC24;
 Wed, 11 Apr 2018 10:42:54 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-97.rdu2.redhat.com
 [10.10.120.97])
 by smtp.corp.redhat.com (Postfix) with ESMTP id BF1492026E03;
 Wed, 11 Apr 2018 10:42:53 +0000 (UTC)
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel@lists.01.org
Cc: Jiaxin Wu <jiaxin.wu@intel.com>,
	Siyuan Fu <siyuan.fu@intel.com>
Date: Wed, 11 Apr 2018 12:42:41 +0200
Message-Id: <20180411104247.3758-4-lersek@redhat.com>
In-Reply-To: <20180411104247.3758-1-lersek@redhat.com>
References: <20180411104247.3758-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.11.55.2]); Wed, 11 Apr 2018 10:42:54 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]);
 Wed, 11 Apr 2018 10:42:54 +0000 (UTC) for IP:'10.11.54.4'
 DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com'
 HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:''
Subject: [PATCH v2 3/9] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 10:42:57 -0000

TlsSetSessionData() shouldn't just ignore an incomplete EFI_TLS_CIPHER
element at the end of "Data":

- Generally speaking, malformed input for a security API is best rejected
  explicitly.

- Specifically speaking, the size of EFI_TLS_CIPHER is 2 bytes. If
  DataSize is 1 on input, then the initial check for (DataSize == 0) will
  fail, but then TlsSetCipherList() will be called with CipherNum=0.

Return EFI_INVALID_PARAMETER from TlsSetSessionData() if "Data" doesn't
contain a whole number of EFI_TLS_CIPHER elements. While at it, introduce
the dedicated variable CipherCount.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
---

Notes:
    v2:
    - pick up Siyuan's R-b

 NetworkPkg/TlsDxe/TlsProtocol.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtocol.c
index ad4c922c60bd..a5f95a098345 100644
--- a/NetworkPkg/TlsDxe/TlsProtocol.c
+++ b/NetworkPkg/TlsDxe/TlsProtocol.c
@@ -35,12 +35,13 @@ EFI_TLS_PROTOCOL  mTlsProtocol = {
 
   @retval EFI_SUCCESS             The TLS session data is set successfully.
   @retval EFI_INVALID_PARAMETER   One or more of the following conditions is TRUE:
                                   This is NULL.
                                   Data is NULL.
                                   DataSize is 0.
+                                  DataSize is invalid for DataType.
   @retval EFI_UNSUPPORTED         The DataType is unsupported.
   @retval EFI_ACCESS_DENIED       If the DataType is one of below:
                                   EfiTlsClientRandom
                                   EfiTlsServerRandom
                                   EfiTlsKeyMaterial
   @retval EFI_NOT_READY           Current TLS session state is NOT
@@ -56,12 +57,13 @@ TlsSetSessionData (
   IN     UINTN                         DataSize
   )
 {
   EFI_STATUS                Status;
   TLS_INSTANCE              *Instance;
   UINT16                    *CipherId;
+  UINTN                     CipherCount;
   UINTN                     Index;
 
   EFI_TPL                   OldTpl;
 
   Status = EFI_SUCCESS;
   CipherId = NULL;
@@ -97,23 +99,29 @@ TlsSetSessionData (
       goto ON_EXIT;
     }
 
     Status = TlsSetConnectionEnd (Instance->TlsConn, *((EFI_TLS_CONNECTION_END *) Data));
     break;
   case EfiTlsCipherList:
+    if (DataSize % sizeof (EFI_TLS_CIPHER) != 0) {
+      Status = EFI_INVALID_PARAMETER;
+      goto ON_EXIT;
+    }
+
     CipherId = AllocatePool (DataSize);
     if (CipherId == NULL) {
       Status = EFI_OUT_OF_RESOURCES;
       goto ON_EXIT;
     }
 
-    for (Index = 0; Index < DataSize / sizeof (EFI_TLS_CIPHER); Index++) {
+    CipherCount = DataSize / sizeof (EFI_TLS_CIPHER);
+    for (Index = 0; Index < CipherCount; Index++) {
       *(CipherId +Index) = HTONS (*(((UINT16 *) Data) + Index));
     }
 
-    Status = TlsSetCipherList (Instance->TlsConn, CipherId, DataSize / sizeof (EFI_TLS_CIPHER));
+    Status = TlsSetCipherList (Instance->TlsConn, CipherId, CipherCount);
 
     FreePool (CipherId);
     break;
   case EfiTlsCompressionMethod:
     //
     // TLS seems only define one CompressionMethod.null, which specifies that data exchanged via the
-- 
2.14.1.3.gb7cf6e02401b