From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id B9223740035 for ; Mon, 5 Feb 2024 16:44:19 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=Imwmp2EyukB/MkuRtJ5h9zXevWg5vuYGIQ+CfQAUbAs=; c=relaxed/simple; d=groups.io; h=Subject:To:From:User-Agent:MIME-Version:Date:References:In-Reply-To:Message-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1707151458; v=1; b=LaOQDLdIQEBAkXFIHIkbU5lDWO/MT5hQl2P+Q9OgdE/Evrx1lrPUvzsSXdHBsoaR6Kqr/6nU ivQr8RXua+HN6DqAVJnGSw06VtDZc1LxiOXzGx/7Lt5g1Dynq9I4AeUBCVRZ8K0oAlnOaq4sTgN FlCrO4U3a7TixYBat7BfkMJM= X-Received: by 127.0.0.2 with SMTP id STlfYY7687511xsC18yEc4fd; Mon, 05 Feb 2024 08:44:18 -0800 Subject: Re: [edk2-devel] [PATCH v2 04/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch To: Doug Flick ,devel@edk2.groups.io From: "bryan-bt.tan via groups.io" X-Originating-Location: London, England, GB (90.255.43.212) X-Originating-Platform: Mac Firefox 122 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Mon, 05 Feb 2024 05:46:43 -0800 References: In-Reply-To: Message-ID: <6815.1707140803862257168@groups.io> Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,bryan-bt.tan@broadcom.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: nw7rtmDJiqe5MNqS39S5Y1Ujx7686176AA= Content-Type: multipart/alternative; boundary="lZKMkIeWM555Pu4odHam" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=LaOQDLdI; dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io --lZKMkIeWM555Pu4odHam Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Thu, Jan 25, 2024 at 11:06 PM, Doug Flick wrote: >=20 > > @@ -641,7 +642,7 @@ Dhcp6UpdateIaInfo ( > Option =3D3D Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode)= =3D > ;=3D0D > =3D0D > if (Option !=3D3D NULL) {=3D0D > - StsCode =3D3D NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4)));=3D0D > + StsCode =3D3D NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LE= N=3D > (Option))));=3D0D This should be DHCP6_OFFSET_OF_STATUS_CODE. >=20 > > @@ -715,52 +803,35 @@ Dhcp6SeekStsOption ( > }=3D0D > =3D0D > //=3D0D > - // The format of the IA_NA option is:=3D0D > + // Calculate the distance from Packet->Dhcp6.Option to the IA option.= =3D0D >=20 > //=3D0D > - // 0 1 2 3=3D0D > - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1=3D0D > - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D > =3D0D > - // | OPTION_IA_NA | option-len |=3D > =3D0D > - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D > =3D0D > - // | IAID (4 octets) |=3D > =3D0D > - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D > =3D0D > - // | T1 |=3D > =3D0D > - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D > =3D0D > - // | T2 |=3D > =3D0D > - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D > =3D0D > - // | |=3D > =3D0D > - // . IA_NA-options .=3D > =3D0D > - // . .=3D > =3D0D > - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D > =3D0D > + // Packet->Size and Packet->Length are both UINT32 type, and > Packet->Siz=3D > e is=3D0D > + // the size of the whole packet, including the DHCP header, and > Packet->=3D > Length=3D0D > + // is the length of the DHCP message body, excluding the DHCP header.= =3D0D >=20 > //=3D0D > - // The format of the IA_TA option is:=3D0D > + // (*Option - Packet->Dhcp6.Option) is the number of bytes from the > star=3D > t of=3D0D > + // DHCP6 option area to the start of the IA option.=3D0D Probably just my lack of understanding on DHCP, but earlier you do `OptionLen =3D Packet->Length - sizeof (Packet->Dhcp6.Header);` which seems to imply Packet->Length includes the DHCP header. Am I missing something here? -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#115121): https://edk2.groups.io/g/devel/message/115121 Mute This Topic: https://groups.io/mt/103964979/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --lZKMkIeWM555Pu4odHam Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Thu, Jan 25, 2024 at 11:06 PM, Doug Flick wrote:
<snip>
@@ -641,7 +642,7 @@ Dhcp6UpdateIaInfo (
= Option =3D3D Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode)= =3D
;=3D0D
=3D0D
if (Option !=3D3D NULL) {=3D0D
- StsCo= de =3D3D NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4)));=3D0D
+ StsC= ode =3D3D NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN=3D
(Option))));=3D0D
This should be DHCP6_OFFSET_OF_STATUS_CODE.
<snip>
@@ -715,52 +803,35 @@ Dhcp6SeekStsOption (}=3D0D
=3D0D
//=3D0D
- // The format of the IA_NA option = is:=3D0D
+ // Calculate the distance from Packet->Dhcp6.Option to t= he IA option.=3D0D
//=3D0D
- // 0 1 2 3=3D0D
- // 0 1 2 3 4 = 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1=3D0D
- // +-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D
=3D0D- // | OPTION_IA_NA | option-len |=3D
=3D0D
- // +-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D
=3D0D
- = // | IAID (4 octets) |=3D
=3D0D
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D
=3D0D
- // | T1 |=3D
=3D0D
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+-+-+-+=3D
=3D0D
- // | T2 |=3D
=3D0D
- // +-+-+-+-+-+= -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+=3D
=3D0D
-= // | |=3D
=3D0D
- // . IA_NA-options .=3D
=3D0D
- // .= .=3D
=3D0D
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+=3D
=3D0D
+ // Packet->Size and Packet->Le= ngth are both UINT32 type, and Packet->Siz=3D
e is=3D0D
+ // t= he size of the whole packet, including the DHCP header, and Packet->=3D<= br />Length=3D0D
+ // is the length of the DHCP message body, excludin= g the DHCP header.=3D0D
//=3D0D
- // The format of the IA_TA opti= on is:=3D0D
+ // (*Option - Packet->Dhcp6.Option) is the number of = bytes from the star=3D
t of=3D0D
+ // DHCP6 option area to the st= art of the IA option.=3D0D
Probably just my lack of understanding on DHCP, but earlier you do
`Op= tionLen =3D Packet->Length - sizeof (Packet->Dhcp6.Header);`
whi= ch seems to imply Packet->Length includes the DHCP header.
Am I mis= sing something here?
_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#115121) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--lZKMkIeWM555Pu4odHam--