From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 77EA921A070B8 for ; Tue, 26 Feb 2019 03:17:00 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D1706155AC; Tue, 26 Feb 2019 11:16:59 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-155.rdu2.redhat.com [10.10.120.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id 91B555C6AA; Tue, 26 Feb 2019 11:16:58 +0000 (UTC) To: Jiaxin Wu , edk2-devel@lists.01.org Cc: Ye Ting , Wang Fan , Fu Siyuan References: <20190226081416.9400-1-Jiaxin.wu@intel.com> From: Laszlo Ersek Message-ID: <46aa146d-addb-b14e-37be-12e29b1bc4f4@redhat.com> Date: Tue, 26 Feb 2019 12:16:57 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20190226081416.9400-1-Jiaxin.wu@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Tue, 26 Feb 2019 11:16:59 +0000 (UTC) Subject: Re: [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before parsing the message. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 11:17:00 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 02/26/19 09:14, Jiaxin Wu wrote: > Fix CVE-2018-12178 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809 > > The DNS driver only checks the received packet size against the > minimum DNS header size in DnsOnPacketReceived(), later it accesses > the QueryName and QuerySection beyond the header scope, which might > cause the pointer within DNS driver points to an invalid entry or > modifies the memory content beyond the header scope. > > This patch is to fix above problem. > > Cc: Ye Ting > Cc: Fu Siyuan > Cc: Wang Fan > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Wu Jiaxin > --- > NetworkPkg/DnsDxe/DnsImpl.c | 77 ++++++++++++++++++++++++++++++++----- > NetworkPkg/DnsDxe/DnsImpl.h | 2 + > 2 files changed, 69 insertions(+), 10 deletions(-) Please put the precise CVE number in the subject line. Laszlo