From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 8BE5894174F for ; Mon, 12 Feb 2024 17:14:12 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=45ujUVbpKyXb2eZIu5+2ydNfGKOAiOoI1U+J/CQQ0zA=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1707758051; v=1; b=KH7fgCvup8PKcgPVMuygYq94GWQsrLPOsz9nYruElGKl46msTTnUHXGxWckRKU7HYf2QOI0c b/GpRtm1Z4OI7HSRvMzJHGCh6cRUCtmaVXsTh8IXVzjQHt4qaFT3CZEUB2srns2aPlk2IG6czn2 aowlqszvCCtxQtti1VM+V2sM= X-Received: by 127.0.0.2 with SMTP id QWCLYY7687511xjFI5HWIfW1; Mon, 12 Feb 2024 09:14:11 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.17]) by mx.groups.io with SMTP id smtpd.web10.11999.1707758050458829376 for ; Mon, 12 Feb 2024 09:14:10 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10982"; a="1622712" X-IronPort-AV: E=Sophos;i="6.06,264,1705392000"; d="scan'208";a="1622712" X-Received: from orviesa006.jf.intel.com ([10.64.159.146]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Feb 2024 09:14:06 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.06,264,1705392000"; d="scan'208";a="2982701" X-Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orviesa006.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 12 Feb 2024 09:14:06 -0800 X-Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Mon, 12 Feb 2024 09:14:05 -0800 X-Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Mon, 12 Feb 2024 09:14:05 -0800 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.100) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 12 Feb 2024 09:14:05 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aE67q7MvnClBreH0fjHQcQZ4ywkJpgzAGW7o1FNyTapL4NGT2TIdMbFlmM42Gu+Np/LeQMkDtBE5iESY0BuKVWYQGH9Spx9lQEpoo4/KEyoYoLp+5GoFU8hvyD738AvkSD24vq+tcYKov0nD5oG35byqC6EBFHm0i33TcugOcSlyz5y0ys+9l4zuaJ1m6Fz3GNLxsRWI6Hm0ww+mQmIwPlnWZ/nIpMRWvT5EY8mnZr7jvA+RWE441MZQC8sAvWS/qARKcvksE/95LOhBkNEqz7eplYXWNHypa8XSBxaEtjI8KwhAvaBcTlLWJfasxmoMbLXX2bKRoEvzW/EZWP4Xqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+QRdlmowciJgZwKd38lD7rM4a+7RFqE0OUgCltUSIjY=; b=fEgawH6M35UPEM1PWNp0ALs+Jlxkz4ssgOY7nQ8pG0EnY+7I9oQgn9M10sNzDte9QgFMKl4uV5VdkHTgU1WFwbJMU7eciPpWBhsl2cjmp2rbY2kz+TZHGTkm9jJYIPjuVIb0Y3seA1tPj2o881ecd1XATwdxe7rXIg0+Qvox/pL+oAD60qwOA46ZpGh4NPZh1SNVCyeU1mlJ7a03oldgI7oIeFbZ3Neywg1ySKZYXPfbE+lfhgL6owYb1f+8S10mNkcnQuJma755NLxzsrfy1F8EhbWC/YCbxLVh8/v89Hjdfn7c2D5XVovXNb7gjuwHOCAK7ED2zH/Ta+BA+aq0og== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20) by DM4PR11MB5295.namprd11.prod.outlook.com (2603:10b6:5:392::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.35; Mon, 12 Feb 2024 17:14:03 +0000 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f]) by SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f%5]) with mapi id 15.20.7270.036; Mon, 12 Feb 2024 17:14:03 +0000 From: "Saloni Kasbekar" To: "Douglas Flick [MSFT]" , "devel@edk2.groups.io" CC: Doug Flick , "Clark-williams, Zachary" , Andrew Fish , "Leif Lindholm" , "Kinney, Michael D" Subject: Re: [edk2-devel] [PATCH 1/3] [edk2-stable202402] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch Thread-Topic: [PATCH 1/3] [edk2-stable202402] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch Thread-Index: AQHaW8WQEiy0oF8JK0W95/3ziWT8m7EG9i7w Date: Mon, 12 Feb 2024 17:14:03 +0000 Message-ID: References: <18e9d08ad2c15daa4fee37ba5283856e758d6e94.1707534069.git.doug.edk2@gmail.com> In-Reply-To: <18e9d08ad2c15daa4fee37ba5283856e758d6e94.1707534069.git.doug.edk2@gmail.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|DM4PR11MB5295:EE_ x-ms-office365-filtering-correlation-id: 05cce810-0a2b-4ce0-14af-08dc2bee031b x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: vvyW4qYXjy6loAH2GqjPpfWTubaX3HIyVgZU3Dj8lrjJkSZZ8vwiYkiXMeeBRbwD+QwCJzEGfohB2515cYRmLFE+4jx3bPLtQQTVKCFYd8thTMW7pHFMiT3vpE+aL5ktaH6AQR06v2S/6v9ryRIKvqVlvDwd+x/Kg5ZBa+RYWrjywLeql5a87aV2YHTm/1wv/xWA71h5MAreo3BktCQlGPrbFBspqE4R6P1NbRWi6Yvl8L9jU5NMKERSA/rCuyeludPCsIzr00Lco0pJGZFWh8zFxSw7+aWUjQoR3yXNghXnlzIgtq7KjAwRJuE4f30Gsvhmue1F01r53OG9zSSRrH1Dd2WI4KdMqvgBDJhY9p9rUNd2ngMHj3q4EV6eIrAaWKuj3c3dLjgMB/2xaSsYh3oRTvE7lxwAdR1z7rJOM9mBf6je1CmEh4FSQKQVVFJBJuJgPjrSMEPLPQDvrQuMV4b+G6pZJSHOkQ/sXzXL2d4yU9ylL7YRrTe/6pnlos6MnLSdTRdvpm1DGMAlniFRxeDPid3ldVzBvmAVPMY8uiO3rRDqvLs8h5dvgcL5EqT35iIWf+NypJgvJiOH5MfPB7jBp2xB+gsIsix6E7HBIc5ztHUCi7ft3yJAM69iW1SqAKaXP1JmVQIzoaoc27ZbmQ== x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?U7bfhcIwoUXrIG8j2aIoyWBmzVS0H99afOwFWQQpsd6vil149RcN3ItVP6OB?= =?us-ascii?Q?+h1/hvT33e86pKgyBU4wCGzsnufaOqhQMiPzyXMmlgxeIgB6Z3gnRvVNm2aY?= =?us-ascii?Q?NhRq3QquKIFT60+otzijHvXC3HAoQwvj6N9v2hI2lqGA6EXo1a2o2kVftCJx?= =?us-ascii?Q?XrpnPES6JGe5mzLcS5egOtsAI21ESTmSRjt958n5seeBCUbbveFBet9W8KgU?= =?us-ascii?Q?UI1Eh6oKTHhxeZHW+89RzIQmAlqc68hNim5V66CizBzMIiSyXlAo/3xSq7t4?= =?us-ascii?Q?jTTyWxU+qTV1mz9n34D15aaHN6Vnr6hvYqOeabBDLbBd5JzE/hvr29XZBMD0?= =?us-ascii?Q?JosKncV3cEgfAwR+u2JL4g3gkMZnBlKrp5aweAjiTbLSR69ZWVUQx77rwxJV?= =?us-ascii?Q?sJvOmfz6LsYnvnbcLZomk9G1dEmZ98nCJAEgvhSfKQaPAvFTaJEcCnwsAcIR?= =?us-ascii?Q?a8GGXpLO6muGP250eK6IKL6ShNsjGaa0OU+Yl0yEu+mNWTf8f5WF0AkvIV66?= =?us-ascii?Q?YI+lT5btwul68KxakmaUOZn2jaBM1Ow8fA3AMdX2p8kI6cSMoZcLtjwatr4D?= =?us-ascii?Q?S0s6xY791l+Keo+Guf9kg4A63FGK5GWadR3LxZ2oPKSVs56j4eIkCJQ5jjaS?= =?us-ascii?Q?wHWIlgSfMU70K84fO8YzZ041vkGDY7ri5Jth3j1IezIGtnNbuRQY/cNdjP2q?= =?us-ascii?Q?1JI7NaKmP/cceNyZcwEavtV6315WT+qVRqzQfudYEnFMur/bSq4KlUOn32Fx?= =?us-ascii?Q?rR141LGvHYeze5eEiKLYSP6n4NmMjzwlIHhHo5Iu1lasqeO8c7OXXp/8AhHJ?= =?us-ascii?Q?51rITVTDbuhdKRQbI91PxzOHzRDleGfCaJLiFCzT31mfm0U0PlFYWXlod4jQ?= =?us-ascii?Q?fCbPmCSRWJAEaiX5ihFrmptORjx1cYOM5gyeoQJc6UdLrsQTUYyEDvymgd5L?= =?us-ascii?Q?QJcP9l3FpFO5Q87g5nEj7IglFofuKY4ZKJZaDgQMChyRajkQ6XMw4jqesNtQ?= =?us-ascii?Q?LJQI/0yGqLhk7Pu76aqfcEUo2LfNzhjB5wC+iC7+LumiJViv7DXElyRnjBh1?= =?us-ascii?Q?ajZwDyT0w5B9MnO2/Awdmdi+boRcku9VUg0TV8Vam3m1Ejcj0zBJcrgjs2Yh?= =?us-ascii?Q?dVt5GFIHX8CUXxuH/o6WuEDIjObBxAvtYhcoAu4LgAGGW2vh3TiyWwOGu27o?= =?us-ascii?Q?67KExtBXq5pNy6F1wScYz+Dml8V4vRAdIGNUFlDbhzTw8hA/7Mj5n6bCH8GX?= =?us-ascii?Q?YyY14YMmU6kZ5vw6DCdxliBmrCPwOdDv3JKJQx3/X0QMUYrhVMafY45ag7Zp?= =?us-ascii?Q?uI7vUeN2ryELtwW+aJaJBcjmwpfUPVlB/EmU6PuVC4Q09FCpM1WKh7pxF2wE?= =?us-ascii?Q?wmEYhY2ISZYeWig7SdGPAlsCe4TaS5F+2OUKy9niNVLazgZHZRp0qdxLXnlX?= =?us-ascii?Q?l2AFFqRYK3+aioy0AvjZ1/lAtMFxzqF+1Yb50D7UMWpeThZwfuAkIwbueDGO?= =?us-ascii?Q?w8B1DjfwQtirhsz4sHZDsYXatZjLNo4Jd1b8Qs1FczbqFC7PK50Uy0ybLe37?= =?us-ascii?Q?SYHafx1BgArhmXvIwBjeDOIGkzGCrQEmKVilFExy?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 05cce810-0a2b-4ce0-14af-08dc2bee031b X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2024 17:14:03.3508 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: BKQ/7p+54K9pooPy/y0LMTNSK5o3HRXTVD4tG0DwAR9TflUirYSh7iswQWT2Y0Yy5vG8ZYJsghjOrdsAZI9OYvu6BgyBnWFYh+Z4iJJB/7I= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5295 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: KAjC19J4S67mCV45YHAZWvQCx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=KH7fgCvu; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Reviewed-by: Saloni Kasbekar -----Original Message----- From: Douglas Flick [MSFT] =20 Sent: Friday, February 9, 2024 7:05 PM To: devel@edk2.groups.io Cc: Doug Flick ; Kasbekar, Saloni ; Clark-williams, Zachary ; An= drew Fish ; Leif Lindholm ; Kin= ney, Michael D ; Doug Flick [MSFT] Subject: [PATCH 1/3] [edk2-stable202402] NetworkPkg: Dhcp6Dxe: SECURITY PAT= CH CVE-2023-45229 Related Patch From: Doug Flick REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4673 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4534 This was not part of the Quarkslab bugs however the same pattern as CVE-202= 3-45229 exists in Dhcp6UpdateIaInfo. This patch replaces the code in question with the safe function created to = patch CVE-2023-45229 > > if (EFI_ERROR ( > Dhcp6SeekInnerOptionSafe ( > Instance->Config->IaDescriptor.Type, > Option, > OptionLen, > &IaInnerOpt, > &IaInnerLen > ) > )) > { > return EFI_DEVICE_ERROR; > } > Additionally corrects incorrect usage of macro to read the status > - StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option))); > + StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *) DHCP6_OFFSET_OF_STATUS_CODE (Option)); Cc: Saloni Kasbekar Cc: Zachary Clark-williams Cc: Andrew Fish Cc: Leif Lindholm Cc: Michael D Kinney Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 232 ++++++++++++++++++++-------------- 1 file changed, 134 insertions(+), 98 deletions(-) diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c = index 3b8feb4a2032..6000e885afaf 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -510,6 +510,97 @@ Dhcp6CallbackUser ( return Status; } +/**+ Seeks the Inner Options from a DHCP6 Option++ @= param[in] IaType The type of the IA option.+ @param[in] Option = The pointer to the DHCP6 Option.+ @param[in] OptionLen The= length of the DHCP6 Option.+ @param[out] IaInnerOpt The pointer to t= he IA inner option.+ @param[out] IaInnerLen The length of the IA inne= r option.++ @retval EFI_SUCCESS Seek the inner option successfully= .+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error,+ = the pointers are not modified+**/+EFI_STATUS+Dhcp6Se= ekInnerOptionSafe (+ IN UINT16 IaType,+ IN UINT8 *Option,+ IN UINT= 32 OptionLen,+ OUT UINT8 **IaInnerOpt,+ OUT UINT16 *IaInnerLen+ )+{+= UINT16 IaInnerLenTmp;+ UINT8 *IaInnerOptTmp;++ if (Option =3D=3D NUL= L) {+ ASSERT (Option !=3D NULL);+ return EFI_DEVICE_ERROR;+ }++ if = (IaInnerOpt =3D=3D NULL) {+ ASSERT (IaInnerOpt !=3D NULL);+ return EF= I_DEVICE_ERROR;+ }++ if (IaInnerLen =3D=3D NULL) {+ ASSERT (IaInnerLen= !=3D NULL);+ return EFI_DEVICE_ERROR;+ }++ if (IaType =3D=3D Dhcp6Opt= Iana) {+ //+ // Verify we have a fully formed IA_NA+ //+ if (Op= tionLen < DHCP6_MIN_SIZE_OF_IA_NA) {+ return EFI_DEVICE_ERROR;+ }++= //+ // Get the IA Inner Option and Length+ //+ IaInnerOptTmp = =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);++ //+ // Verify the IaI= nnerLen is valid.+ //+ IaInnerLenTmp =3D (UINT16)NTOHS (ReadUnaligned= 16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));+ if (IaInnerLenTmp < D= HCP6_SIZE_OF_COMBINED_IAID_T1_T2) {+ return EFI_DEVICE_ERROR;+ }++ = IaInnerLenTmp -=3D DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;+ } else if (IaTyp= e =3D=3D Dhcp6OptIata) {+ //+ // Verify the OptionLen is valid.+ /= /+ if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {+ return EFI_DEVICE_ER= ROR;+ }++ IaInnerOptTmp =3D DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);= ++ //+ // Verify the IaInnerLen is valid.+ //+ IaInnerLenTmp = =3D (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Opt= ion))));+ if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {+ return EFI_DEV= ICE_ERROR;+ }++ IaInnerLenTmp -=3D DHCP6_SIZE_OF_IAID;+ } else {+ = return EFI_DEVICE_ERROR;+ }++ *IaInnerOpt =3D IaInnerOptTmp;+ *IaInnerL= en =3D IaInnerLenTmp;++ return EFI_SUCCESS;+}+ /** Update Ia according t= o the new reply message. @@ -528,13 +619,23 @@ Dhcp6UpdateIaInfo ( { EFI_STATUS Status; UINT8 *Option;+ UINT32 OptionLen; = UINT8 *IaInnerOpt; UINT16 IaInnerLen; UINT16 StsCode; = UINT32 T1; UINT32 T2; + T1 =3D 0;+ T2 =3D 0;+ ASSERT (Inst= ance->Config !=3D NULL);++ // OptionLen is the length of the Options exclu= ding the DHCP header.+ // Length of the EFI_DHCP6_PACKET from the first by= te of the Header field to the last+ // byte of the Option[] field.+ Optio= nLen =3D Packet->Length - sizeof (Packet->Dhcp6.Header);+ // // If the = reply was received in response to a solicit with rapid commit option, // = request, renew or rebind message, the client updates the information it has= @@ -549,13 +650,29 @@ Dhcp6UpdateIaInfo ( // Option =3D Dhcp6SeekIaOption ( Packet->Dhcp6.Option,- = Packet->Length - sizeof (EFI_DHCP6_HEADER),+ Option= Len, &Instance->Config->IaDescriptor ); if (Opt= ion =3D=3D NULL) { return EFI_DEVICE_ERROR; } + //+ // Calculate th= e distance from Packet->Dhcp6.Option to the IA option.+ //+ // Packet->Si= ze and Packet->Length are both UINT32 type, and Packet->Size is+ // the si= ze of the whole packet, including the DHCP header, and Packet->Length+ // = is the length of the DHCP message body, excluding the DHCP header.+ //+ /= / (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of= + // DHCP6 option area to the start of the IA option.+ //+ // Dhcp6SeekI= nnerOptionSafe() is searching starting from the start of the+ // IA option= to the end of the DHCP6 option area, thus subtract the space+ // up until= this option+ //+ OptionLen =3D OptionLen - (UINT32)(Option - Packet->Dhc= p6.Option);+ // // The format of the IA_NA option is: //@@ -591,32 +7= 08,32 @@ Dhcp6UpdateIaInfo ( // //- // sizeof (option-code + option-len + IaId) =3D 8- = // sizeof (option-code + option-len + IaId + T1) =3D 12- // sizeof (= option-code + option-len + IaId + T1 + T2) =3D 16- //- // The inner optio= ns still start with 2 bytes option-code and 2 bytes option-len.+ // Seek t= he inner option //+ if (EFI_ERROR (+ Dhcp6SeekInnerOptionSafe (+ = Instance->Config->IaDescriptor.Type,+ Option,+ O= ptionLen,+ &IaInnerOpt,+ &IaInnerLen+ )+ = ))+ {+ return EFI_DEVICE_ERROR;+ }+ if (Instance->Config->IaDescript= or.Type =3D=3D Dhcp6OptIana) { T1 =3D NTOHL (ReadUnaligned32 ((UINT32 *= )(DHCP6_OFFSET_OF_IA_NA_T1 (Option)))); T2 =3D NTOHL (ReadUnaligned32 (= (UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option)))); // // Refer to RFC= 3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2, = // and both T1 and T2 are greater than 0, the client discards the IA_NA = option and processes- // the remainder of the message as though the serv= er had not included the invalid IA_NA option.+ // the remainder of the = message as though the server had not included the invalid IA_NA option. = // if ((T1 > T2) && (T2 > 0)) { return EFI_DEVICE_ERROR; }--= IaInnerOpt =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);- IaInnerLen= =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (O= ption)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);- } else {- T1 =3D 0;- = T2 =3D 0;-- IaInnerOpt =3D DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);- = IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_= OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID); } //@@ -642,7 +759,7 @@ = Dhcp6UpdateIaInfo ( Option =3D Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode)= ; if (Option !=3D NULL) {- StsCode =3D NTOHS (ReadUnaligned16 ((UINT1= 6 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));+ StsCode =3D NTOHS (ReadUnalig= ned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (Option)))); if (StsCode = !=3D Dhcp6StsSuccess) { return EFI_DEVICE_ERROR; }@@ -662,87 +779= ,6 @@ Dhcp6UpdateIaInfo ( return Status; } -/**- Seeks the Inner Options from a DHCP6 Option-- @= param[in] IaType The type of the IA option.- @param[in] Option = The pointer to the DHCP6 Option.- @param[in] OptionLen The= length of the DHCP6 Option.- @param[out] IaInnerOpt The pointer to t= he IA inner option.- @param[out] IaInnerLen The length of the IA inne= r option.-- @retval EFI_SUCCESS Seek the inner option successfully= .- @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error,- = the pointers are not modified-**/-EFI_STATUS-Dhcp6Se= ekInnerOptionSafe (- IN UINT16 IaType,- IN UINT8 *Option,- IN UINT= 32 OptionLen,- OUT UINT8 **IaInnerOpt,- OUT UINT16 *IaInnerLen- )-{-= UINT16 IaInnerLenTmp;- UINT8 *IaInnerOptTmp;-- if (Option =3D=3D NUL= L) {- ASSERT (Option !=3D NULL);- return EFI_DEVICE_ERROR;- }-- if = (IaInnerOpt =3D=3D NULL) {- ASSERT (IaInnerOpt !=3D NULL);- return EF= I_DEVICE_ERROR;- }-- if (IaInnerLen =3D=3D NULL) {- ASSERT (IaInnerLen= !=3D NULL);- return EFI_DEVICE_ERROR;- }-- if (IaType =3D=3D Dhcp6Opt= Iana) {- // Verify we have a fully formed IA_NA- if (OptionLen < DHCP= 6_MIN_SIZE_OF_IA_NA) {- return EFI_DEVICE_ERROR;- }-- //- IaI= nnerOptTmp =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);-- // Verify the= IaInnerLen is valid.- IaInnerLenTmp =3D (UINT16)NTOHS (ReadUnaligned16 = ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));- if (IaInnerLenTmp < DHCP= 6_SIZE_OF_COMBINED_IAID_T1_T2) {- return EFI_DEVICE_ERROR;- }-- = IaInnerLenTmp -=3D DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;- } else if (IaType = =3D=3D Dhcp6OptIata) {- // Verify the OptionLen is valid.- if (Option= Len < DHCP6_MIN_SIZE_OF_IA_TA) {- return EFI_DEVICE_ERROR;- }-- = IaInnerOptTmp =3D DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);-- // Verify = the IaInnerLen is valid.- IaInnerLenTmp =3D (UINT16)NTOHS (ReadUnaligned= 16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));- if (IaInnerLenTmp <= DHCP6_SIZE_OF_IAID) {- return EFI_DEVICE_ERROR;- }-- IaInnerLen= Tmp -=3D DHCP6_SIZE_OF_IAID;- } else {- return EFI_DEVICE_ERROR;- }-- = *IaInnerOpt =3D IaInnerOptTmp;- *IaInnerLen =3D IaInnerLenTmp;-- return = EFI_SUCCESS;-}- /** Seek StatusCode Option in package. A Status Code opti= on may appear in the options field of a DHCP message and/or in the option= s field of another option.--=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#115362): https://edk2.groups.io/g/devel/message/115362 Mute This Topic: https://groups.io/mt/104272126/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-