From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web10.8265.1582090047080891205 for ; Tue, 18 Feb 2020 21:27:27 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: siyuan.fu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Feb 2020 21:27:26 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,459,1574150400"; d="scan'208";a="253982892" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by orsmga002.jf.intel.com with ESMTP; 18 Feb 2020 21:27:26 -0800 Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 18 Feb 2020 21:27:26 -0800 Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 18 Feb 2020 21:27:25 -0800 Received: from shsmsx105.ccr.corp.intel.com (10.239.4.158) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Tue, 18 Feb 2020 21:27:25 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.196]) by SHSMSX105.ccr.corp.intel.com ([169.254.11.138]) with mapi id 14.03.0439.000; Wed, 19 Feb 2020 13:27:23 +0800 From: "Siyuan, Fu" To: "devel@edk2.groups.io" , "Wu, Jiaxin" CC: Maciej Rabeda Subject: Re: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). Thread-Topic: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). Thread-Index: AQHV5h+h+rxy+sk4NEaVYd6GMNl9KKgh/j6w Date: Wed, 19 Feb 2020 05:27:23 +0000 Message-ID: References: <20200218055203.14732-1-Jiaxin.wu@intel.com> In-Reply-To: <20200218055203.14732-1-Jiaxin.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzExOTRhOTMtMmZhYi00NDgyLWFjODgtZWMzNjQ4ZjEwZWRlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRTFJU1JxcDFDYlByNk9NRUlnZjRhbU9YRlVPMEZ3THg0elpJa1RuYVZnZ2czTjh6R1FnZVRCdHpcL0pBeFQzaG0ifQ== dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: siyuan.fu@intel.com Content-Language: en-US Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 UmV2aWV3ZWQtYnk6IFNpeXVhbiBGdSA8c2l5dWFuLmZ1QGludGVsLmNvbT4NCg0KPiAtLS0tLU9y aWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBkZXZlbEBlZGsyLmdyb3Vwcy5pbyA8ZGV2ZWxA ZWRrMi5ncm91cHMuaW8+IE9uIEJlaGFsZiBPZiBXdSwNCj4gSmlheGluDQo+IFNlbnQ6IDIwMjDE 6jLUwjE4yNUgMTM6NTINCj4gVG86IGRldmVsQGVkazIuZ3JvdXBzLmlvDQo+IENjOiBGdSwgU2l5 dWFuIDxzaXl1YW4uZnVAaW50ZWwuY29tPjsgTWFjaWVqIFJhYmVkYQ0KPiA8bWFjaWVqLnJhYmVk YUBsaW51eC5pbnRlbC5jb20+OyBXdSwgSmlheGluIDxqaWF4aW4ud3VAaW50ZWwuY29tPg0KPiBT dWJqZWN0OiBbZWRrMi1kZXZlbF0gW1BBVENIIHYzXSBOZXR3b3JrUGtnL0lwNER4ZTogQ2hlY2sg dGhlIHJlY2VpdmVkDQo+IHBhY2thZ2UgbGVuZ3RoIChDVkUtMjAxOS0xNDU1OSkuDQo+IA0KPiB2 MzogY29ycmVjdCB0aGUgY29kaW5nIHN0eWxlLg0KPiB2MjogY29ycmVjdCB0aGUgY29tbWl0IG1l c3NhZ2UgJiBhZGQgQlogbnVtYmVyLg0KPiANCj4gUkVGOiBodHRwczovL2J1Z3ppbGxhLnRpYW5v Y29yZS5vcmcvc2hvd19idWcuY2dpP2lkPTE2MTANCj4gDQo+IFRoaXMgcGF0Y2ggaXMgdG8gY2hl Y2sgdGhlIHJlY2VpdmVkIHBhY2thZ2UgbGVuZ3RoIHRvIG1ha2Ugc3VyZSB0aGUgcGFja2FnZQ0K PiBoYXMgYSB2YWxpZCBsZW5ndGggZmllbGQuDQo+IA0KPiBDYzogRnUgU2l5dWFuIDxzaXl1YW4u ZnVAaW50ZWwuY29tPg0KPiBDYzogTWFjaWVqIFJhYmVkYSA8bWFjaWVqLnJhYmVkYUBsaW51eC5p bnRlbC5jb20+DQo+IFNpZ25lZC1vZmYtYnk6IFd1IEppYXhpbiA8amlheGluLnd1QGludGVsLmNv bT4NCj4gLS0tDQo+ICBOZXR3b3JrUGtnL0lwNER4ZS9JcDRJbnB1dC5jIHwgNDYNCj4gKysrKysr KysrKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tLS0tLS0NCj4gIDEgZmlsZSBjaGFuZ2Vk LCAzNyBpbnNlcnRpb25zKCspLCA5IGRlbGV0aW9ucygtKQ0KPiANCj4gZGlmZiAtLWdpdCBhL05l dHdvcmtQa2cvSXA0RHhlL0lwNElucHV0LmMgYi9OZXR3b3JrUGtnL0lwNER4ZS9JcDRJbnB1dC5j DQo+IGluZGV4IGZlYzI0MmM3MWYuLjg2OGYwNDgxMmMgMTAwNjQ0DQo+IC0tLSBhL05ldHdvcmtQ a2cvSXA0RHhlL0lwNElucHV0LmMNCj4gKysrIGIvTmV0d29ya1BrZy9JcDREeGUvSXA0SW5wdXQu Yw0KPiBAQCAtMSw5ICsxLDkgQEANCj4gIC8qKiBAZmlsZQ0KPiAgICBJUDQgaW5wdXQgcHJvY2Vz cy4NCj4gDQo+IC1Db3B5cmlnaHQgKGMpIDIwMDUgLSAyMDE4LCBJbnRlbCBDb3Jwb3JhdGlvbi4g QWxsIHJpZ2h0cyByZXNlcnZlZC48QlI+DQo+ICtDb3B5cmlnaHQgKGMpIDIwMDUgLSAyMDIwLCBJ bnRlbCBDb3Jwb3JhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC48QlI+DQo+ICAoQykgQ29weXJp Z2h0IDIwMTUgSGV3bGV0dC1QYWNrYXJkIERldmVsb3BtZW50IENvbXBhbnksIEwuUC48QlI+DQo+ IA0KPiAgU1BEWC1MaWNlbnNlLUlkZW50aWZpZXI6IEJTRC0yLUNsYXVzZS1QYXRlbnQNCj4gDQo+ ICAqKi8NCj4gQEAgLTcwOSwxNCArNzA5LDEwIEBAIElwNFByZVByb2Nlc3NQYWNrZXQgKA0KPiAg ICBVSU5UMTYgICAgICAgICAgICAgICAgICAgIENoZWNrc3VtOw0KPiANCj4gICAgLy8NCj4gICAg Ly8gQ2hlY2sgaWYgdGhlIElQNCBoZWFkZXIgaXMgY29ycmVjdGx5IGZvcm1hdHRlZC4NCj4gICAg Ly8NCj4gLSAgaWYgKCgqUGFja2V0KS0+VG90YWxTaXplIDwgSVA0X01JTl9IRUFETEVOKSB7DQo+ IC0gICAgcmV0dXJuIEVGSV9JTlZBTElEX1BBUkFNRVRFUjsNCj4gLSAgfQ0KPiAtDQo+ICAgIEhl YWRMZW4gID0gKEhlYWQtPkhlYWRMZW4gPDwgMik7DQo+ICAgIFRvdGFsTGVuID0gTlRPSFMgKEhl YWQtPlRvdGFsTGVuKTsNCj4gDQo+ICAgIC8vDQo+ICAgIC8vIE1ucCBtYXkgZGVsaXZlciBmcmFt ZSB0cmFpbGVyIHNlcXVlbmNlIHVwLCB0cmltIGl0IG9mZi4NCj4gQEAgLTgwNiwxMCArODAyLDM0 IEBAIElwNFByZVByb2Nlc3NQYWNrZXQgKA0KPiAgICB9DQo+IA0KPiAgICByZXR1cm4gRUZJX1NV Q0NFU1M7DQo+ICB9DQo+IA0KPiArLyoqDQo+ICsgIFRoaXMgZnVuY3Rpb24gY2hlY2tzIHRoZSBJ UHY0IHBhY2tldCBsZW5ndGguDQo+ICsNCj4gKyAgQHBhcmFtW2luXSAgICAgICBQYWNrZXQgICAg ICAgICAgUG9pbnRlciB0byB0aGUgSVB2NCBQYWNrZXQgdG8gYmUgY2hlY2tlZC4NCj4gKw0KPiAr ICBAcmV0dmFsIFRSVUUgICAgICAgICAgICAgICAgICAgVGhlIGlucHV0IElQdjQgcGFja2V0IGxl bmd0aCBpcyB2YWxpZC4NCj4gKyAgQHJldHZhbCBGQUxTRSAgICAgICAgICAgICAgICAgIFRoZSBp bnB1dCBJUHY0IHBhY2tldCBsZW5ndGggaXMgaW52YWxpZC4NCj4gKw0KPiArKiovDQo+ICtCT09M RUFODQo+ICtJcDRJc1ZhbGlkUGFja2V0TGVuZ3RoICgNCj4gKyAgSU4gTkVUX0JVRiAgICAgICAg KlBhY2tldA0KPiArICApDQo+ICt7DQo+ICsgIC8vDQo+ICsgIC8vIENoZWNrIHRoZSBJUDQgcGFj a2V0IGxlbmd0aC4NCj4gKyAgLy8NCj4gKyAgaWYgKFBhY2tldC0+VG90YWxTaXplIDwgSVA0X01J Tl9IRUFETEVOKSB7DQo+ICsgICAgcmV0dXJuIEZBTFNFOw0KPiArICB9DQo+ICsNCj4gKyAgcmV0 dXJuIFRSVUU7DQo+ICt9DQo+ICsNCj4gIC8qKg0KPiAgICBUaGUgSVA0IGlucHV0IHJvdXRpbmUu IEl0IGlzIGNhbGxlZCBieSB0aGUgSVA0X0lOVEVSRkFDRSB3aGVuIGENCj4gICAgSVA0IGZyYWdt ZW50IGlzIHJlY2VpdmVkIGZyb20gTU5QLg0KPiANCj4gICAgQHBhcmFtW2luXSAgSXA0SW5zdGFu Y2UgICAgICAgIFRoZSBJUDQgY2hpbGQgdGhhdCByZXF1ZXN0IHRoZSByZWNlaXZlLCBtb3N0DQo+ IGxpa2UNCj4gQEAgLTg0MiwxMCArODYyLDE0IEBAIElwNEFjY3BldEZyYW1lICgNCj4gDQo+ICAg IGlmIChFRklfRVJST1IgKElvU3RhdHVzKSB8fCAoSXBTYi0+U3RhdGUgPT0gSVA0X1NFUlZJQ0Vf REVTVFJPWSkpIHsNCj4gICAgICBnb3RvIERST1A7DQo+ICAgIH0NCj4gDQo+ICsgIGlmICghSXA0 SXNWYWxpZFBhY2tldExlbmd0aCAoUGFja2V0KSkgew0KPiArICAgIGdvdG8gUkVTVEFSVDsNCj4g KyAgfQ0KPiArDQo+ICAgIEhlYWQgICAgICA9IChJUDRfSEVBRCAqKSBOZXRidWZHZXRCeXRlIChQ YWNrZXQsIDAsIE5VTEwpOw0KPiAgICBBU1NFUlQgKEhlYWQgIT0gTlVMTCk7DQo+ICAgIE9wdGlv bkxlbiA9IChIZWFkLT5IZWFkTGVuIDw8IDIpIC0gSVA0X01JTl9IRUFETEVOOw0KPiAgICBpZiAo T3B0aW9uTGVuID4gMCkgew0KPiAgICAgIE9wdGlvbiA9IChVSU5UOCAqKSAoSGVhZCArIDEpOw0K PiBAQCAtODg4LDE0ICs5MTIsMTggQEAgSXA0QWNjcGV0RnJhbWUgKA0KPiAgICAvLw0KPiAgICAv LyBJZiB0aGUgcGFja2V0IGlzIHByb3RlY3RlZCBieSB0dW5uZWwgbW9kZSwgcGFyc2UgdGhlIGlu bmVyIElwIFBhY2tldC4NCj4gICAgLy8NCj4gICAgWmVyb01lbSAoJlplcm9IZWFkLCBzaXplb2Yg KElQNF9IRUFEKSk7DQo+ICAgIGlmICgwID09IENvbXBhcmVNZW0gKEhlYWQsICZaZXJvSGVhZCwg c2l6ZW9mIChJUDRfSEVBRCkpKSB7DQo+IC0gIC8vIFBhY2tldCBtYXkgaGF2ZSBiZWVuIGNoYW5n ZWQuIEhlYWQsIEhlYWRMZW4sIFRvdGFsTGVuLCBhbmQNCj4gLSAgLy8gaW5mbyBtdXN0IGJlIHJl bG9hZGVkIGJlZm9yZSB1c2UuIFRoZSBvd25lcnNoaXAgb2YgdGhlIHBhY2tldA0KPiAtICAvLyBp cyB0cmFuc2ZlcnJlZCB0byB0aGUgcGFja2V0IHByb2Nlc3MgbG9naWMuDQo+IC0gIC8vDQo+ICsg ICAgLy8gUGFja2V0IG1heSBoYXZlIGJlZW4gY2hhbmdlZC4gSGVhZCwgSGVhZExlbiwgVG90YWxM ZW4sIGFuZA0KPiArICAgIC8vIGluZm8gbXVzdCBiZSByZWxvYWRlZCBiZWZvcmUgdXNlLiBUaGUg b3duZXJzaGlwIG9mIHRoZSBwYWNrZXQNCj4gKyAgICAvLyBpcyB0cmFuc2ZlcnJlZCB0byB0aGUg cGFja2V0IHByb2Nlc3MgbG9naWMuDQo+ICsgICAgLy8NCj4gKyAgICBpZiAoIUlwNElzVmFsaWRQ YWNrZXRMZW5ndGggKFBhY2tldCkpIHsNCj4gKyAgICAgIGdvdG8gUkVTVEFSVDsNCj4gKyAgICB9 DQo+ICsNCj4gICAgICBIZWFkID0gKElQNF9IRUFEICopIE5ldGJ1ZkdldEJ5dGUgKFBhY2tldCwg MCwgTlVMTCk7DQo+ICAgICAgQVNTRVJUIChIZWFkICE9IE5VTEwpOw0KPiAgICAgIFN0YXR1cyA9 IElwNFByZVByb2Nlc3NQYWNrZXQgKA0KPiAgICAgICAgICAgICAgICAgSXBTYiwNCj4gICAgICAg ICAgICAgICAgICZQYWNrZXQsDQo+IC0tDQo+IDIuMTYuMi53aW5kb3dzLjENCj4gDQo+IA0KPiAN Cg0K