[PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).
@ 2020-02-18  5:52 Wu, Jiaxin
  2020-02-19  5:23 ` [edk2-devel] " Liming Gao
  2020-02-19  5:27 ` Siyuan, Fu
  0 siblings, 2 replies; 3+ messages in thread
From: Wu, Jiaxin @ 2020-02-18  5:52 UTC (permalink / raw)
  To: devel; +Cc: Fu Siyuan, Maciej Rabeda, Wu Jiaxin

v3: correct the coding style.
v2: correct the commit message & add BZ number.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610

This patch is to check the received package length to make sure the package
has a valid length field.

Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++---------
 1 file changed, 37 insertions(+), 9 deletions(-)

diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c
index fec242c71f..868f04812c 100644
--- a/NetworkPkg/Ip4Dxe/Ip4Input.c
+++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
@@ -1,9 +1,9 @@
 /** @file
   IP4 input process.
 
-Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
 
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -709,14 +709,10 @@ Ip4PreProcessPacket (
   UINT16                    Checksum;
 
   //
   // Check if the IP4 header is correctly formatted.
   //
-  if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
-    return EFI_INVALID_PARAMETER;
-  }
-
   HeadLen  = (Head->HeadLen << 2);
   TotalLen = NTOHS (Head->TotalLen);
 
   //
   // Mnp may deliver frame trailer sequence up, trim it off.
@@ -806,10 +802,34 @@ Ip4PreProcessPacket (
   }
 
   return EFI_SUCCESS;
 }
 
+/**
+  This function checks the IPv4 packet length.
+
+  @param[in]       Packet          Pointer to the IPv4 Packet to be checked.
+
+  @retval TRUE                   The input IPv4 packet length is valid.
+  @retval FALSE                  The input IPv4 packet length is invalid.
+
+**/
+BOOLEAN
+Ip4IsValidPacketLength (
+  IN NET_BUF        *Packet
+  )
+{
+  //
+  // Check the IP4 packet length.
+  //
+  if (Packet->TotalSize < IP4_MIN_HEADLEN) {
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
 /**
   The IP4 input routine. It is called by the IP4_INTERFACE when a
   IP4 fragment is received from MNP.
 
   @param[in]  Ip4Instance        The IP4 child that request the receive, most like
@@ -842,10 +862,14 @@ Ip4AccpetFrame (
 
   if (EFI_ERROR (IoStatus) || (IpSb->State == IP4_SERVICE_DESTROY)) {
     goto DROP;
   }
 
+  if (!Ip4IsValidPacketLength (Packet)) {
+    goto RESTART;
+  }
+
   Head      = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
   ASSERT (Head != NULL);
   OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
   if (OptionLen > 0) {
     Option = (UINT8 *) (Head + 1);
@@ -888,14 +912,18 @@ Ip4AccpetFrame (
   //
   // If the packet is protected by tunnel mode, parse the inner Ip Packet.
   //
   ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
   if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
-  // Packet may have been changed. Head, HeadLen, TotalLen, and
-  // info must be reloaded before use. The ownership of the packet
-  // is transferred to the packet process logic.
-  //
+    // Packet may have been changed. Head, HeadLen, TotalLen, and
+    // info must be reloaded before use. The ownership of the packet
+    // is transferred to the packet process logic.
+    //
+    if (!Ip4IsValidPacketLength (Packet)) {
+      goto RESTART;
+    }
+
     Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
     ASSERT (Head != NULL);
     Status = Ip4PreProcessPacket (
                IpSb,
                &Packet,
-- 
2.16.2.windows.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).
  2020-02-18  5:52 [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559) Wu, Jiaxin
@ 2020-02-19  5:23 ` Liming Gao
  2020-02-19  5:27 ` Siyuan, Fu
  1 sibling, 0 replies; 3+ messages in thread
From: Liming Gao @ 2020-02-19  5:23 UTC (permalink / raw)
  To: devel@edk2.groups.io, Wu, Jiaxin, Fu, Siyuan, Maciej Rabeda

Siyuan and Maciej:
  Can you help review this patch? I would like to make CVE fix catch this stable tag edk2 202002.

Thanks
Liming
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu, Jiaxin
> Sent: Tuesday, February 18, 2020 1:52 PM
> To: devel@edk2.groups.io
> Cc: Fu, Siyuan <siyuan.fu@intel.com>; Maciej Rabeda <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).
> 
> v3: correct the coding style.
> v2: correct the commit message & add BZ number.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
> 
> This patch is to check the received package length to make sure the package
> has a valid length field.
> 
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
>  NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++---------
>  1 file changed, 37 insertions(+), 9 deletions(-)
> 
> diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c
> index fec242c71f..868f04812c 100644
> --- a/NetworkPkg/Ip4Dxe/Ip4Input.c
> +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
> @@ -1,9 +1,9 @@
>  /** @file
>    IP4 input process.
> 
> -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
>  (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
> 
>  SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  **/
> @@ -709,14 +709,10 @@ Ip4PreProcessPacket (
>    UINT16                    Checksum;
> 
>    //
>    // Check if the IP4 header is correctly formatted.
>    //
> -  if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
> -    return EFI_INVALID_PARAMETER;
> -  }
> -
>    HeadLen  = (Head->HeadLen << 2);
>    TotalLen = NTOHS (Head->TotalLen);
> 
>    //
>    // Mnp may deliver frame trailer sequence up, trim it off.
> @@ -806,10 +802,34 @@ Ip4PreProcessPacket (
>    }
> 
>    return EFI_SUCCESS;
>  }
> 
> +/**
> +  This function checks the IPv4 packet length.
> +
> +  @param[in]       Packet          Pointer to the IPv4 Packet to be checked.
> +
> +  @retval TRUE                   The input IPv4 packet length is valid.
> +  @retval FALSE                  The input IPv4 packet length is invalid.
> +
> +**/
> +BOOLEAN
> +Ip4IsValidPacketLength (
> +  IN NET_BUF        *Packet
> +  )
> +{
> +  //
> +  // Check the IP4 packet length.
> +  //
> +  if (Packet->TotalSize < IP4_MIN_HEADLEN) {
> +    return FALSE;
> +  }
> +
> +  return TRUE;
> +}
> +
>  /**
>    The IP4 input routine. It is called by the IP4_INTERFACE when a
>    IP4 fragment is received from MNP.
> 
>    @param[in]  Ip4Instance        The IP4 child that request the receive, most like
> @@ -842,10 +862,14 @@ Ip4AccpetFrame (
> 
>    if (EFI_ERROR (IoStatus) || (IpSb->State == IP4_SERVICE_DESTROY)) {
>      goto DROP;
>    }
> 
> +  if (!Ip4IsValidPacketLength (Packet)) {
> +    goto RESTART;
> +  }
> +
>    Head      = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
>    ASSERT (Head != NULL);
>    OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
>    if (OptionLen > 0) {
>      Option = (UINT8 *) (Head + 1);
> @@ -888,14 +912,18 @@ Ip4AccpetFrame (
>    //
>    // If the packet is protected by tunnel mode, parse the inner Ip Packet.
>    //
>    ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
>    if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
> -  // Packet may have been changed. Head, HeadLen, TotalLen, and
> -  // info must be reloaded before use. The ownership of the packet
> -  // is transferred to the packet process logic.
> -  //
> +    // Packet may have been changed. Head, HeadLen, TotalLen, and
> +    // info must be reloaded before use. The ownership of the packet
> +    // is transferred to the packet process logic.
> +    //
> +    if (!Ip4IsValidPacketLength (Packet)) {
> +      goto RESTART;
> +    }
> +
>      Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
>      ASSERT (Head != NULL);
>      Status = Ip4PreProcessPacket (
>                 IpSb,
>                 &Packet,
> --
> 2.16.2.windows.1
> 
> 
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).
  2020-02-18  5:52 [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559) Wu, Jiaxin
  2020-02-19  5:23 ` [edk2-devel] " Liming Gao
@ 2020-02-19  5:27 ` Siyuan, Fu
  1 sibling, 0 replies; 3+ messages in thread
From: Siyuan, Fu @ 2020-02-19  5:27 UTC (permalink / raw)
  To: devel@edk2.groups.io, Wu, Jiaxin; +Cc: Maciej Rabeda

Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu,
> Jiaxin
> Sent: 2020年2月18日 13:52
> To: devel@edk2.groups.io
> Cc: Fu, Siyuan <siyuan.fu@intel.com>; Maciej Rabeda
> <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received
> package length (CVE-2019-14559).
> 
> v3: correct the coding style.
> v2: correct the commit message & add BZ number.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
> 
> This patch is to check the received package length to make sure the package
> has a valid length field.
> 
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
>  NetworkPkg/Ip4Dxe/Ip4Input.c | 46
> +++++++++++++++++++++++++++++++++++---------
>  1 file changed, 37 insertions(+), 9 deletions(-)
> 
> diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c
> index fec242c71f..868f04812c 100644
> --- a/NetworkPkg/Ip4Dxe/Ip4Input.c
> +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
> @@ -1,9 +1,9 @@
>  /** @file
>    IP4 input process.
> 
> -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
>  (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
> 
>  SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  **/
> @@ -709,14 +709,10 @@ Ip4PreProcessPacket (
>    UINT16                    Checksum;
> 
>    //
>    // Check if the IP4 header is correctly formatted.
>    //
> -  if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
> -    return EFI_INVALID_PARAMETER;
> -  }
> -
>    HeadLen  = (Head->HeadLen << 2);
>    TotalLen = NTOHS (Head->TotalLen);
> 
>    //
>    // Mnp may deliver frame trailer sequence up, trim it off.
> @@ -806,10 +802,34 @@ Ip4PreProcessPacket (
>    }
> 
>    return EFI_SUCCESS;
>  }
> 
> +/**
> +  This function checks the IPv4 packet length.
> +
> +  @param[in]       Packet          Pointer to the IPv4 Packet to be checked.
> +
> +  @retval TRUE                   The input IPv4 packet length is valid.
> +  @retval FALSE                  The input IPv4 packet length is invalid.
> +
> +**/
> +BOOLEAN
> +Ip4IsValidPacketLength (
> +  IN NET_BUF        *Packet
> +  )
> +{
> +  //
> +  // Check the IP4 packet length.
> +  //
> +  if (Packet->TotalSize < IP4_MIN_HEADLEN) {
> +    return FALSE;
> +  }
> +
> +  return TRUE;
> +}
> +
>  /**
>    The IP4 input routine. It is called by the IP4_INTERFACE when a
>    IP4 fragment is received from MNP.
> 
>    @param[in]  Ip4Instance        The IP4 child that request the receive, most
> like
> @@ -842,10 +862,14 @@ Ip4AccpetFrame (
> 
>    if (EFI_ERROR (IoStatus) || (IpSb->State == IP4_SERVICE_DESTROY)) {
>      goto DROP;
>    }
> 
> +  if (!Ip4IsValidPacketLength (Packet)) {
> +    goto RESTART;
> +  }
> +
>    Head      = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
>    ASSERT (Head != NULL);
>    OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
>    if (OptionLen > 0) {
>      Option = (UINT8 *) (Head + 1);
> @@ -888,14 +912,18 @@ Ip4AccpetFrame (
>    //
>    // If the packet is protected by tunnel mode, parse the inner Ip Packet.
>    //
>    ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
>    if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
> -  // Packet may have been changed. Head, HeadLen, TotalLen, and
> -  // info must be reloaded before use. The ownership of the packet
> -  // is transferred to the packet process logic.
> -  //
> +    // Packet may have been changed. Head, HeadLen, TotalLen, and
> +    // info must be reloaded before use. The ownership of the packet
> +    // is transferred to the packet process logic.
> +    //
> +    if (!Ip4IsValidPacketLength (Packet)) {
> +      goto RESTART;
> +    }
> +
>      Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
>      ASSERT (Head != NULL);
>      Status = Ip4PreProcessPacket (
>                 IpSb,
>                 &Packet,
> --
> 2.16.2.windows.1
> 
> 
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-02-19  5:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-18  5:52 [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559) Wu, Jiaxin
2020-02-19  5:23 ` [edk2-devel] " Liming Gao
2020-02-19  5:27 ` Siyuan, Fu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox