From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siyuan.fu@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.93; helo=mga11.intel.com;
 envelope-from=siyuan.fu@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id BF9CF225264B0
 for <edk2-devel@lists.01.org>; Mon,  9 Apr 2018 18:51:22 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
 by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 09 Apr 2018 18:51:21 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.48,429,1517904000"; d="scan'208";a="219098070"
Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204])
 by fmsmga006.fm.intel.com with ESMTP; 09 Apr 2018 18:51:21 -0700
Received: from fmsmsx151.amr.corp.intel.com (10.18.125.4) by
 FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 9 Apr 2018 18:51:21 -0700
Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by
 FMSMSX151.amr.corp.intel.com (10.18.125.4) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Mon, 9 Apr 2018 18:51:21 -0700
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.151]) by
 SHSMSX152.ccr.corp.intel.com ([169.254.6.197]) with mapi id 14.03.0319.002;
 Tue, 10 Apr 2018 09:51:19 +0800
From: "Fu, Siyuan" <siyuan.fu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>, edk2-devel-01 <edk2-devel@lists.01.org>
CC: "Wu, Jiaxin" <jiaxin.wu@intel.com>
Thread-Topic: [PATCH 03/13] NetworkPkg/TlsDxe: verify DataSize for
 EfiTlsCipherList
Thread-Index: AQHTy1tVddMiBAMeTUOVE0ieZbrVCKP5Rhcw
Date: Tue, 10 Apr 2018 01:51:19 +0000
Message-ID: <B1FF2E9001CE9041BD10B825821D5BC58B4930F1@SHSMSX103.ccr.corp.intel.com>
References: <20180403145149.8925-1-lersek@redhat.com>
 <20180403145149.8925-4-lersek@redhat.com>
In-Reply-To: <20180403145149.8925-4-lersek@redhat.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ctpclassification: CTP_NT
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZmE5OTMyYWYtNzkzNi00YjhlLWJmZDktZmUwMzQ0ZGZkNWVjIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJ3MHBJV2YwcXA2bEI1c244RHExVjdYRUN3N3R0XC9hbGd3eWRSWU54K0lIRGJRT0dlVUJYUHhhVlNYU0xlSHpxciJ9
dlp-product: dlpe-windows
dlp-version: 11.0.0.116
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH 03/13] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 01:51:22 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>



> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Tuesday, April 3, 2018 10:52 PM
> To: edk2-devel-01 <edk2-devel@lists.01.org>
> Cc: Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>
> Subject: [PATCH 03/13] NetworkPkg/TlsDxe: verify DataSize for
> EfiTlsCipherList
>=20
> TlsSetSessionData() shouldn't just ignore an incomplete EFI_TLS_CIPHER
> element at the end of "Data":
>=20
> - Generally speaking, malformed input for a security API is best rejected
>   explicitly.
>=20
> - Specifically speaking, the size of EFI_TLS_CIPHER is 2 bytes. If
>   DataSize is 1 on input, then the initial check for (DataSize =3D=3D 0) =
will
>   fail, but then TlsSetCipherList() will be called with CipherNum=3D0.
>=20
> Return EFI_INVALID_PARAMETER from TlsSetSessionData() if "Data" doesn't
> contain a whole number of EFI_TLS_CIPHER elements. While at it, introduce
> the dedicated variable CipherCount.
>=20
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
>  NetworkPkg/TlsDxe/TlsProtocol.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
>=20
> diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c
> b/NetworkPkg/TlsDxe/TlsProtocol.c
> index ad4c922c60bd..a5f95a098345 100644
> --- a/NetworkPkg/TlsDxe/TlsProtocol.c
> +++ b/NetworkPkg/TlsDxe/TlsProtocol.c
> @@ -35,12 +35,13 @@ EFI_TLS_PROTOCOL  mTlsProtocol =3D {
>=20
>    @retval EFI_SUCCESS             The TLS session data is set
> successfully.
>    @retval EFI_INVALID_PARAMETER   One or more of the following condition=
s
> is TRUE:
>                                    This is NULL.
>                                    Data is NULL.
>                                    DataSize is 0.
> +                                  DataSize is invalid for DataType.
>    @retval EFI_UNSUPPORTED         The DataType is unsupported.
>    @retval EFI_ACCESS_DENIED       If the DataType is one of below:
>                                    EfiTlsClientRandom
>                                    EfiTlsServerRandom
>                                    EfiTlsKeyMaterial
>    @retval EFI_NOT_READY           Current TLS session state is NOT
> @@ -56,12 +57,13 @@ TlsSetSessionData (
>    IN     UINTN                         DataSize
>    )
>  {
>    EFI_STATUS                Status;
>    TLS_INSTANCE              *Instance;
>    UINT16                    *CipherId;
> +  UINTN                     CipherCount;
>    UINTN                     Index;
>=20
>    EFI_TPL                   OldTpl;
>=20
>    Status =3D EFI_SUCCESS;
>    CipherId =3D NULL;
> @@ -97,23 +99,29 @@ TlsSetSessionData (
>        goto ON_EXIT;
>      }
>=20
>      Status =3D TlsSetConnectionEnd (Instance->TlsConn,
> *((EFI_TLS_CONNECTION_END *) Data));
>      break;
>    case EfiTlsCipherList:
> +    if (DataSize % sizeof (EFI_TLS_CIPHER) !=3D 0) {
> +      Status =3D EFI_INVALID_PARAMETER;
> +      goto ON_EXIT;
> +    }
> +
>      CipherId =3D AllocatePool (DataSize);
>      if (CipherId =3D=3D NULL) {
>        Status =3D EFI_OUT_OF_RESOURCES;
>        goto ON_EXIT;
>      }
>=20
> -    for (Index =3D 0; Index < DataSize / sizeof (EFI_TLS_CIPHER); Index+=
+)
> {
> +    CipherCount =3D DataSize / sizeof (EFI_TLS_CIPHER);
> +    for (Index =3D 0; Index < CipherCount; Index++) {
>        *(CipherId +Index) =3D HTONS (*(((UINT16 *) Data) + Index));
>      }
>=20
> -    Status =3D TlsSetCipherList (Instance->TlsConn, CipherId, DataSize /
> sizeof (EFI_TLS_CIPHER));
> +    Status =3D TlsSetCipherList (Instance->TlsConn, CipherId, CipherCoun=
t);
>=20
>      FreePool (CipherId);
>      break;
>    case EfiTlsCompressionMethod:
>      //
>      // TLS seems only define one CompressionMethod.null, which specifies
> that data exchanged via the
> --
> 2.14.1.3.gb7cf6e02401b
>=20