From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com;
 receiver=edk2-devel@lists.01.org 
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 77EA921A070B8
 for <edk2-devel@lists.01.org>; Tue, 26 Feb 2019 03:17:00 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id D1706155AC;
 Tue, 26 Feb 2019 11:16:59 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-155.rdu2.redhat.com
 [10.10.120.155])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 91B555C6AA;
 Tue, 26 Feb 2019 11:16:58 +0000 (UTC)
To: Jiaxin Wu <Jiaxin.wu@intel.com>, edk2-devel@lists.01.org
Cc: Ye Ting <ting.ye@intel.com>, Wang Fan <fan.wang@intel.com>,
 Fu Siyuan <siyuan.fu@intel.com>
References: <20190226081416.9400-1-Jiaxin.wu@intel.com>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <46aa146d-addb-b14e-37be-12e29b1bc4f4@redhat.com>
Date: Tue, 26 Feb 2019 12:16:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20190226081416.9400-1-Jiaxin.wu@intel.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.29]); Tue, 26 Feb 2019 11:16:59 +0000 (UTC)
Subject: Re: [PATCH v1] NetworkPkg/DnsDxe: Check the received packet size before parsing the message.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 11:17:00 -0000
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 02/26/19 09:14, Jiaxin Wu wrote:
> Fix CVE-2018-12178
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809
> 
> The DNS driver only checks the received packet size against the
> minimum DNS header size in DnsOnPacketReceived(), later it accesses
> the QueryName and QuerySection beyond the header scope, which might
> cause the pointer within DNS driver points to an invalid entry or
> modifies the memory content beyond the header scope.
> 
> This patch is to fix above problem.
> 
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Wang Fan <fan.wang@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
>  NetworkPkg/DnsDxe/DnsImpl.c | 77 ++++++++++++++++++++++++++++++++-----
>  NetworkPkg/DnsDxe/DnsImpl.h |  2 +
>  2 files changed, 69 insertions(+), 10 deletions(-)

Please put the precise CVE number in the subject line.

Laszlo