From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.92.18.86])
 by mx.groups.io with SMTP id smtpd.web10.6440.1586324840810186838
 for <devel@edk2.groups.io>;
 Tue, 07 Apr 2020 22:47:20 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@outlook.com header.s=selector1 header.b=pLwHKFCl;
 spf=pass (domain: outlook.com, ip: 40.92.18.86, mailfrom: michael.kubacki@outlook.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=c4mUbKdCr9TyBzXk62COxCdiukXMLAM2DzWljCfcrYPJxLtq6BbYzkBMrHQyTOz2/RbZindq7ZNcLbYMEfMTqn8owxR7NnfD9Y90ORQLZB289F1QnVuHqcSy3ll2hOBXflJMSMK2EcFoGS38VFwLPbNJdju/P9Wury1hWLYStO522dXzrbrAb7uuW36XQ6UlRIoEN2Z5MpA/VccwoKKP4dUpdu2WEScdPcYvb2TQMAHXWw2DbD53QfaqW8ZeafQCjXIEibGEyxSd2Wkwoxs4sgd0Ic+yQuSpiB3dm8xRgOKXx5UHN057xOfdsACcE0XtWhmdjH59CMBZkluzok6HIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=konqHMQycXT6jW/290cpbO8MgmPfp+b2iXddQg0uegw=;
 b=eZOldjVzP1SKCObR1ZrFs+1uBOhxVJqYzZ04zlEfKvO9eWDRmF8tWoX8l245sFSa9kr0owCUNyENg1fZ+6V3AlAgRVD3+Ev2MeCsUa404qcRHOiNrLcz2CvgGO1Ywf+B9z2JU/N8vp5K632vTOr2Ho73RhWL5Aex1Eyp0P/1NqXauRjxqyuYfuCr2B4Tzjmfdw8xVAXG9tj5S2qQlteR1yuJOdY80nPdnqSbpb6QwHsPEvHgl4DCixsoSOpY8/JgGrBA+D9+smC3355oB1r8ucw3a/1xUbdCMThHy/nAwiRymEWX3zlMpseu9HsjSnpBLoygcC7e4LNhOfUMAEVmHg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=outlook.com; dmarc=pass action=none header.from=outlook.com;
 dkim=pass header.d=outlook.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=konqHMQycXT6jW/290cpbO8MgmPfp+b2iXddQg0uegw=;
 b=pLwHKFClQeo3NEK3k1arQOldKj3/SuIEw7Sz7iWxiJbpwhrO6saDhQyrj4L55eqodO9s7zPCCBS760YkmVm3WvBlAFeULwtwGUZ81b1Kqzz0QKkG9hVJyAHduhlaS7+H6OdtcseKgTNQ96FlU9DM3d4F9lQRbWgtjMmgsTsE+RP3yRHe1GqMi36EMWF+1fkSVAXtSskja+P73Qo0KCmvHCdD7NF6NAeujhq0RHz52VLhobmVDPG+NFKUwgC0v4xlcHtXX+qH9ldgyibnw0ToHbj+HOmoy0mXV4v16YWC6BNdLzA9oFcqgg+G8jox0by9IBvm2MYn/wC//BYZNjGryQ==
Received: from CO1NAM11FT033.eop-nam11.prod.protection.outlook.com
 (2a01:111:e400:3861::44) by
 CO1NAM11HT025.eop-nam11.prod.protection.outlook.com (2a01:111:e400:3861::379)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15; Wed, 8 Apr
 2020 05:47:19 +0000
Received: from MWHPR07MB3440.namprd07.prod.outlook.com
 (2a01:111:e400:3861::4f) by CO1NAM11FT033.mail.protection.outlook.com
 (2a01:111:e400:3861::247) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15 via Frontend
 Transport; Wed, 8 Apr 2020 05:47:19 +0000
X-IncomingTopHeaderMarker: 
 OriginalChecksum:245758E0B2DE6AC4F060CE077681A3D6B015B6ECABC4F82E13C0C15282395EF6;UpperCasedChecksum:F3D44FA0D7EC86A6FD9E2E9ED6F5142AD8B4796CDF8158C48D5DC48436596C44;SizeAsReceived:7638;Count:47
Received: from MWHPR07MB3440.namprd07.prod.outlook.com
 ([fe80::f5a7:e51b:e22a:959f]) by MWHPR07MB3440.namprd07.prod.outlook.com
 ([fe80::f5a7:e51b:e22a:959f%7]) with mapi id 15.20.2878.022; Wed, 8 Apr 2020
 05:47:19 +0000
From: "Michael Kubacki" <michael.kubacki@outlook.com>
To: devel@edk2.groups.io
Cc: Siyuan Fu <siyuan.fu@intel.com>,
	Maciej Rabeda <maciej.rabeda@linux.intel.com>,
	Jiaxin Wu <jiaxin.wu@intel.com>
Subject: [PATCH v1 1/1] NetworkPkg/Ip6Dxe: Validate source data record length
Date: Tue,  7 Apr 2020 22:46:37 -0700
Message-ID: 
 <MWHPR07MB344068867E35502F08FDFCA6E9C00@MWHPR07MB3440.namprd07.prod.outlook.com>
X-Mailer: git-send-email 2.16.3.windows.1
X-ClientProxiedBy: CO2PR05CA0066.namprd05.prod.outlook.com
 (2603:10b6:102:2::34) To MWHPR07MB3440.namprd07.prod.outlook.com
 (2603:10b6:301:69::28)
Return-Path: michael.kubacki@outlook.com
X-Microsoft-Original-Message-ID: 
 <20200408054637.17524-1-michael.kubacki@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost.localdomain (2001:4898:80e8:8:2845:b96a:f46f:d2a5) by CO2PR05CA0066.namprd05.prod.outlook.com (2603:10b6:102:2::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.6 via Frontend Transport; Wed, 8 Apr 2020 05:47:19 +0000
X-Mailer: git-send-email 2.16.3.windows.1
X-Microsoft-Original-Message-ID: 
 <20200408054637.17524-1-michael.kubacki@outlook.com>
X-TMN: [467BpIUFvSFxv8rGFjEMnBqw9YqYboFBpBXZuyr0SirpGQZXZlJ7E/rw57UCWjNv]
X-MS-PublicTrafficType: Email
X-IncomingHeaderCount: 47
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-Correlation-Id: 28ea3b7b-8138-47cd-c66d-08d7db804d1d
X-MS-TrafficTypeDiagnostic: CO1NAM11HT025:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	QbthQXPt1ojSNnrwjnO8cr5AQ0U6K37xyaVnkp53Zwr5ITt/oTPDEJ0rWP7l2g0dHTdHKw7u0lLEn4uCepzdKa7hkT/n2h6ywvedRFZc6dU9/QykDxhgFjLfkuZulRSVIaQizcHVAT7t0TJAQMGKgZXmssRM7Wt7OG/i3K8/64hfwLlcDulXdxaQu9DCQdP6ihlYZ7wk0qEJnv3/2rL+0e4KENvUQF6ZMjIKnuw2vlI=
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR07MB3440.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
X-MS-Exchange-AntiSpam-MessageData: 
	mYt9q1NdqnXf7ehB6ZiVR9w68ytGtZCjwBVlBg4gBb+wbBORRnwCk9wUEORIxrHx0L4GsnefXdsEaaPNfSkfPC4FNjsIcug225RR+VWKrD7KBbw0nPgR/WIZNzENzyu5bckJ/7z1QgTjxJ5QOuWT/4e5qdm9ue05HKuwwN2Yn3dCVq2ptqrzyqjlUqr1+WL249gfxQSDswhWhuakYS57hg==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 28ea3b7b-8138-47cd-c66d-08d7db804d1d
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 05:47:19.6720
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM11HT025
Content-Type: text/plain

From: Michael Kubacki <michael.kubacki@microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2273

Ip6ConfigReadConfigData() reads configuration data from a UEFI variable
and copies the data to another buffer. This change checks that the length
of the data record being copied does not exceed the size of the source
UEFI variable data buffer.

If the size is exceeded, this change follows existing logic to treat the
variable as corrupted and deletes the variable so it will be set again.

Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
 NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 47 +++++++++++++-------
 1 file changed, 30 insertions(+), 17 deletions(-)

diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
index eb2a80b64f15..ab3801336912 100644
--- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
+++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
@@ -2,6 +2,7 @@
   The implementation of EFI IPv6 Configuration Protocol.
 
   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation.<BR>
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -390,24 +391,9 @@ Ip6ConfigReadConfigData (
                     );
     if (EFI_ERROR (Status) || (UINT16) (~NetblockChecksum ((UINT8 *) Variable, (UINT32) VarSize)) != 0) {
       //
-      // GetVariable still error or the variable is corrupted.
-      // Fall back to the default value.
+      // GetVariable error or the variable is corrupted.
       //
-      FreePool (Variable);
-
-      //
-      // Remove the problematic variable and return EFI_NOT_FOUND, a new
-      // variable will be set again.
-      //
-      gRT->SetVariable (
-             VarName,
-             &gEfiIp6ConfigProtocolGuid,
-             IP6_CONFIG_VARIABLE_ATTRIBUTE,
-             0,
-             NULL
-             );
-
-      return EFI_NOT_FOUND;
+      goto Error;
     }
 
     //
@@ -432,7 +418,12 @@ Ip6ConfigReadConfigData (
       if (!DATA_ATTRIB_SET (DataItem->Attribute, DATA_ATTRIB_SIZE_FIXED)) {
         //
         // This data item has variable length data.
+        // Check that the length is contained within the variable before allocating.
         //
+        if (DataRecord.DataSize > VarSize - DataRecord.Offset) {
+          goto Error;
+        }
+
         DataItem->Data.Ptr = AllocatePool (DataRecord.DataSize);
         if (DataItem->Data.Ptr == NULL) {
           //
@@ -454,6 +445,28 @@ Ip6ConfigReadConfigData (
   }
 
   return Status;
+
+Error:
+  //
+  // Fall back to the default value.
+  //
+  if (Variable != NULL) {
+    FreePool (Variable);
+  }
+
+  //
+  // Remove the problematic variable and return EFI_NOT_FOUND, a new
+  // variable will be set again.
+  //
+  gRT->SetVariable (
+         VarName,
+         &gEfiIp6ConfigProtocolGuid,
+         IP6_CONFIG_VARIABLE_ATTRIBUTE,
+         0,
+         NULL
+         );
+
+  return EFI_NOT_FOUND;
 }
 
 /**
-- 
2.16.3.windows.1