From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 69830AC1905 for ; Thu, 1 Feb 2024 21:37:50 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=+0btaWEZMHpF4rcx0or3OSi9hER3r7tMmhgiGkXoyyw=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1706823469; v=1; b=fVnoukn9H3oyB+PVLUw0I6crvcdi4UaBXZrG82Hx0W9FhDqFd+UMlRN/hTbSPPNYsjNB2fDi ktgGf+ngWC8AwXrCxA1snGr/mj0ppECaM4hIDgvbSVTGXzc+bw7fUFZ1z2ZhXS77oPEUMmTku1z oSa95P58VihZyE3DaM1wUgaQ= X-Received: by 127.0.0.2 with SMTP id opVQYY7687511xycgXlhFh71; Thu, 01 Feb 2024 13:37:49 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) by mx.groups.io with SMTP id smtpd.web10.8110.1706823468000633012 for ; Thu, 01 Feb 2024 13:37:48 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10971"; a="188853" X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="188853" X-Received: from orviesa007.jf.intel.com ([10.64.159.147]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Feb 2024 13:37:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="220186" X-Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by orviesa007.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 01 Feb 2024 13:37:47 -0800 X-Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 1 Feb 2024 13:37:46 -0800 X-Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 1 Feb 2024 13:37:46 -0800 X-Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Thu, 1 Feb 2024 13:37:45 -0800 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.100) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Thu, 1 Feb 2024 13:37:45 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cl065fibbAblIupNbsGX7Zn8476vwCBPmA+ssjbgpCgVq1W1x+GSxcpgIJ0TKlSGKjTYX3sZK1QG9CS2G6CE6nrf7ivdMD/xoYUwDp4XqCrU106Sy+Cwr0U5sSyZ56NoGmpliEGkeTZI7NuGC5HQRrq8L2cj83F6T2Hw/N+gnrjZ5yftfSXyti5th2vvqoN+HnomFDg1Z2EIrsTGiLIFur5qjDlI9nfD0Cjol5w0G5n6oAPh7EiTc/DBGff6MErDy1EcrzT3DwHTX7g4tsup+DwIxc56dnLzf83FtzxoE9JW4VXsXxn3cJKhqsCjXCOdlYrxNU7T442j/jucU+gwHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AhBqW10M978Z99idcGvtw2LonVZnAjZZpMEfTTAiI4M=; b=MqlAl/M/I4hdvFOyP19iqnN8Gx2jQFhp1TILHe9mcnfPqy+2u7DJPD6qLJJReOwdq3vtrXRd0GiFJj2tOa+DmRuWNOydeU6MGtVsijfHFU8dq2S+w5jy6WwCWU5vXgcpgP/cE1aiPEVDMWzxQ0ZJyyPoJJW5ulJY+/H+m/gQmZbFLQloOKT1JWmmMKFAE92kaE6zndJq9Ce1/fqYoyOG9MJid8yxA3mPqkdgoPJA7fIPlbAhqY+JxtsYW2VbE4XPLRIcAclGbo+qrM97ZFcyFoc/t9eo+9o7Q+jFOCIln8RPGgESFlaGnHKh4ueJe52yXSNqhf/bFJDI+0i2o9I4rg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20) by DS0PR11MB7927.namprd11.prod.outlook.com (2603:10b6:8:fd::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7228.34; Thu, 1 Feb 2024 21:37:43 +0000 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f]) by SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f%5]) with mapi id 15.20.7249.024; Thu, 1 Feb 2024 21:37:43 +0000 From: "Saloni Kasbekar" To: "Douglas Flick [MSFT]" , "devel@edk2.groups.io" CC: Doug Flick , "Clark-williams, Zachary" Subject: Re: [edk2-devel] [PATCH v2 13/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch Thread-Topic: [PATCH v2 13/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch Thread-Index: AQHaT+MwYNK8pME6nU+7RIu0k/0TGbD2AT0g Date: Thu, 1 Feb 2024 21:37:43 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|DS0PR11MB7927:EE_ x-ms-office365-filtering-correlation-id: 5de1b61d-2f69-4166-d789-08dc236e05db x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: q8BcFfrE2BNn+hiN2LietfsiFex8PumDHAcpaXcYFyxXVLP+PhXe3z5Tf4XdZC7d6ThpuwMLQGBkcLAbADlQGFCTbaQxenji3Z4PepPQzTlBCKyBd8C/c/GAjykr7lVOFKXvwUyLlWFjCNBgzYILYpN+mv9yxlsoqhDWUMgJYob7pQ9KItHVm2oh6ywW5rhUYMGHCmbUUJdW1spaBTiTFMXp3QajQBBCY5o3Y1cpJIY/HZAJWA3U2K8ihGDqu75LXDWWAEam3nttvtmsfmGEnx5WGZrGxYUt9yNL2ZTEGYGjk1iEa9jqHJUC4KtzKp4I1mz1tmOVK8mqNusvQW8Ab7oK0ziUm8EDP6JRyng1DD2fQJ9c717kK5HPGxHs96QBvZfGQ7oxXiNPrnDBpcnQruLzFeVFp4MjDSIX5OwfX48p1MUijoGG5g5swDPz9GTbgTF1lxXpSUVQRqDDIyc1F9p0IftsA5AGl7rF2XHocZ1Sk0viCitwGc3AgFSRK/tIJAP9Zg021Kh/2+J7Xnp3Zglp92S94zfvp4f4z/Y9ZB++0dIek2LXVLYxNKp1Nw3OroV0JOLCJ9fUTO/k5t3RpsBRKOAaWfjULBL0LhV50XI= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?eU0SXGKEt2cQsACHE6PKX2Af7wDu2WrnnITtVcYk+Y3o4nyfBG6SCyYCDzcr?= =?us-ascii?Q?GRVtUhust6s+nKxjBMU5juYqkuft95RB9g4eYYM+vO764n5R0ZHJMHVjiQpE?= =?us-ascii?Q?iq7I2DlMEqH9JfPQkuDvwwvu6D681youXdGK4nETzo0n/z4dZLNu3KInklS1?= =?us-ascii?Q?B9Vwk9zK56fkW99wgfmiLDK7vUQnMqdGflxxyPtpXMq7hBLG7lFSnGc+XODN?= =?us-ascii?Q?RWQ7FHIz9h1bhYcq1mBR/vjnJCyejXTLqDK5P1QWwOi7Sz2B027Lse4qcnCs?= =?us-ascii?Q?y1nT9KMoIKrPdFWFP8wxtvSy1Vd4aGvnzfC6SfuAtIFbrh2HWOcyIEHMUWME?= =?us-ascii?Q?SChymYnUSdBfEqGtuDyBkjoNZr++HertN5uqciqbbcqYCT5/8X0bvjyXPGdp?= =?us-ascii?Q?ckHCJ8KbyqbiispwDrdoew7SHrR1ynwb/ZBqMkSe8ZS7Zx+mLqIH4kSTdVMQ?= =?us-ascii?Q?iOOba3LSMjTlM9+bei7ri3/gH8w/9ORkxNS2mLs16LYKz6rz4hvOuQ+Dx66N?= =?us-ascii?Q?Gq1C3z/GHmFseF3lOaRP3Rk0iEbOK25qsw2kxHVBuDIU3YoYXPWFnkhrTQSA?= =?us-ascii?Q?jVzqqr+1GWHbpXgivo13YtHKB2JmoqhS/XpZ5rwv1ISmaQniGqXltEJprcYr?= =?us-ascii?Q?4q+mFVTj7OuphaLzhX/t1H1fGHzSIGtfM/4tM9kGNfiQJ4vI0gpn858Rr/Xm?= =?us-ascii?Q?MyaLoJED10Vj9VB+s17U1HVtPG9C+hdRYsTsj7r70DjiMMj+LCKskPuAQpBx?= =?us-ascii?Q?A5y4qB6VsKOSnbjZXy6pqcFEl8OxJsdGOSdE7X1lyReY9aI4puDvMBpWMSp/?= =?us-ascii?Q?86dlt6Gd3kwPQowxGmvaPJvCskjp87BjsYw5vz66EqleQ3N1ic5JIvEiA4uQ?= =?us-ascii?Q?JtJvRCmDpRFm+AEGXpjOaA1CcbuigVf4w30Mh04ZWN90QkAYyMm1M9hvd3vu?= =?us-ascii?Q?0TgBIVU2Sqk0490wtKqw5aAUdXEUtFDA25SSxbmw7ljjDlsgVPx/P7Dwmkdv?= =?us-ascii?Q?yUts8QdQJdSetldNUuzdiiWlx/yDqDr0An4V2wx0DkFF+DpCGzaE/d+FiGcf?= =?us-ascii?Q?/CwQuJTkK4IpeJof9R/R96jdwxRdL4Aj0ehmoG2IweuCjLav37ZGu2wQMZ48?= =?us-ascii?Q?IqVW0pVi5IRmsYrWksiIOszo8NOrXyHJNCJXJ+TJV/cC0NsizZdGJgRh/jDr?= =?us-ascii?Q?hR1NxKy7wL7V9jSVMAaOQeA+TnHastpWtM9hcG/LRyUBBJfu+aZSg3WqW8R7?= =?us-ascii?Q?pciNCJhuz/p7YmZChSH8W0jHdPhZk1WKWYxtssm/1Za+IVMN6LfIFveJawMR?= =?us-ascii?Q?I0FJIKNlDv0nqgQP6syipOy/NAz51u2oHBXyBWrEMu8rgCxi7XShjNlHM/O9?= =?us-ascii?Q?UW8eou5EqWNMnym0AkuFJafg8Z6JruY/XkRqpogJKvQkFwYKl+hsTFnAKBx3?= =?us-ascii?Q?GYE+SVfpMvRsAnwP0KxNsVo6aJTCVj4SGbPymkufKsMXVgSIJaNIEpP44G6L?= =?us-ascii?Q?7QNfowVSB3uwqH1ouiN4YQc1z+Uap9jRWId+pjpBlVaEbc7yGFMmdEqnAunR?= =?us-ascii?Q?YhghfmvWxLb085i1WhDFl43QKIL6UjwpO5BedTS2?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5de1b61d-2f69-4166-d789-08dc236e05db X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2024 21:37:43.0873 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ju/1Eb1PBQocTj8W/EG9TBfr2ghTJrHRcdQVlmFc7GNu0ek7IxSNu5HXuGB8nElT2qRW/3nslkw6gSi/XhwWzJJhG/SmbqsS5ip1NI/2i/k= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB7927 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 33kXsafEgW0DYeEOQA02x7K1x7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=fVnoukn9; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Reviewed-by: Saloni Kasbekar -----Original Message----- From: Douglas Flick [MSFT] =20 Sent: Thursday, January 25, 2024 1:55 PM To: devel@edk2.groups.io Cc: Doug Flick ; Kasbekar, Saloni ; Clark-williams, Zachary ; Do= ug Flick [MSFT] Subject: [PATCH v2 13/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023= -45235 Patch From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4540 Bug Details: PixieFail Bug #7 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory B= uffer Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertis= e message Change Overview: Performs two checks 1. Checks that the length of the duid is accurate > + // > + // Check that the minimum and maximum requirements are met // if=20 > + ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) { > + Status =3D EFI_INVALID_PARAMETER; > + goto ON_ERROR; > + } 2. Ensures that the amount of data written to the buffer is tracked and nev= er exceeds that > + // > + // Check that the option length is valid. > + // > + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) { > + Status =3D EFI_OUT_OF_RESOURCES; > + goto ON_ERROR; > + } Additional code clean up and fix for memory leak in case Option was NULL Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | 17 ++++++ NetworkPkg/UefiPxeBcDxe/= PxeBcDhcp6.c | 77 ++++++++++++++++++++++------ 2 files changed, 78 insertions(+), 16 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h b/NetworkPkg/UefiPxeBcDxe= /PxeBcDhcp6.h index c86f6d391b80..6357d27faefd 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h @@ -34,6 +34,23 @@ #define PXEBC_ADDR_START_DELIMITER '[' #define PXEBC_ADDR_END_DELIM= ITER ']' +//+// A DUID consists of a 2-octet type code represented= in network byte+// order, followed by a variable number of octets that mak= e up the+// actual identifier. The length of the DUID (not including the t= ype+// code) is at least 1 octet and at most 128 octets.+//+#define PXEBC_M= IN_SIZE_OF_DUID (sizeof(UINT16) + 1)+#define PXEBC_MAX_SIZE_OF_DUID (size= of(UINT16) + 128)++//+// This define represents the combineds code and leng= th field from+// https://datatracker.ietf.org/doc/html/rfc3315#section-22.1= +//+#define PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN \+ (sizeof (((EFI= _DHCP6_PACKET_OPTION *)0)->OpCode) + \+ sizeof (((EFI_DHCP6_PACKET_OPT= ION *)0)->OpLen))+ #define GET_NEXT_DHCP6_OPTION(Opt) \ (EFI_DHCP6_PACKET= _OPTION *) ((UINT8 *) (Opt) + \ sizeof (EFI_DHCP6_PACKET_OPTION) + (NTOHS= ((Opt)->OpLen)) - 1)diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/Ne= tworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c index 2b2d372889a3..7fd1281c1184 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -887,6 +887,7 @@ PxeBcRequestBootService ( EFI_STATUS Status; EFI_DHCP6_PACKET = *IndexOffer; UINT8 *Option;+ UINTN = DiscoverLenNeeded; PxeBc =3D &Private->PxeBc; = Request =3D Private->Dhcp6Request;@@ -899,7 +900,8 @@ PxeBcRequestBoot= Service ( return EFI_DEVICE_ERROR; } - Discover =3D AllocateZeroPool (sizeof = (EFI_PXE_BASE_CODE_DHCPV6_PACKET));+ DiscoverLenNeeded =3D sizeof (EFI_PXE= _BASE_CODE_DHCPV6_PACKET);+ Discover =3D AllocateZeroPool (Discov= erLenNeeded); if (Discover =3D=3D NULL) { return EFI_OUT_OF_RESOURCES= ; }@@ -924,16 +926,34 @@ PxeBcRequestBootService ( DHCP6_OPT_SERVER_ID ); if (Option =3D=3D= NULL) {- return EFI_NOT_FOUND;+ Status =3D EFI_NOT_FOUND;+ = goto ON_ERROR; } // // Add Server ID Option. // OpLen = =3D NTOHS (((EFI_DHCP6_PACKET_OPTION *)Option)->OpLen);- CopyMem (Discov= erOpt, Option, OpLen + 4);- DiscoverOpt +=3D (OpLen + 4);- DiscoverLe= n +=3D (OpLen + 4);++ //+ // Check that the minimum and maximum requi= rements are met+ //+ if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen >= PXEBC_MAX_SIZE_OF_DUID)) {+ Status =3D EFI_INVALID_PARAMETER;+ g= oto ON_ERROR;+ }++ //+ // Check that the option length is valid.+ = //+ if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LE= N) > DiscoverLenNeeded) {+ Status =3D EFI_OUT_OF_RESOURCES;+ goto= ON_ERROR;+ }++ CopyMem (DiscoverOpt, Option, OpLen + PXEBC_COMBINED_= SIZE_OF_OPT_CODE_AND_LEN);+ DiscoverOpt +=3D (OpLen + PXEBC_COMBINED_SIZ= E_OF_OPT_CODE_AND_LEN);+ DiscoverLen +=3D (OpLen + PXEBC_COMBINED_SIZE_O= F_OPT_CODE_AND_LEN); } while (RequestLen < Request->Length) {@@ -944,1= 6 +964,24 @@ PxeBcRequestBootService ( (OpCode !=3D DHCP6_OPT_SERVER_ID) ) {+ //+ /= / Check that the option length is valid.+ //+ if (DiscoverLen + O= pLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN > DiscoverLenNeeded) {+ = Status =3D EFI_OUT_OF_RESOURCES;+ goto ON_ERROR;+ }+ /= / // Copy all the options except IA option and Server ID //- = CopyMem (DiscoverOpt, RequestOpt, OpLen + 4);- DiscoverOpt +=3D (Op= Len + 4);- DiscoverLen +=3D (OpLen + 4);+ CopyMem (DiscoverOpt, R= equestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);+ Discover= Opt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);+ DiscoverL= en +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } - Reque= stOpt +=3D (OpLen + 4);- RequestLen +=3D (OpLen + 4);+ RequestOpt += =3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);+ RequestLen +=3D = (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } //@@ -2154,6 +218= 2,7 @@ PxeBcDhcp6Discover ( UINT16 OpLen; UINT32 = Xid; EFI_STATUS Status;+ UINTN = DiscoverLenNeeded; PxeBc =3D &Private->PxeBc; Mode = =3D PxeBc->Mode;@@ -2169,7 +2198,8 @@ PxeBcDhcp6Discover ( return EFI_DEVICE_ERROR; } - Discover =3D AllocateZeroPool (sizeof = (EFI_PXE_BASE_CODE_DHCPV6_PACKET));+ DiscoverLenNeeded =3D sizeof (EFI_PXE= _BASE_CODE_DHCPV6_PACKET);+ Discover =3D AllocateZeroPool (Discov= erLenNeeded); if (Discover =3D=3D NULL) { return EFI_OUT_OF_RESOURCES= ; }@@ -2185,22 +2215,37 @@ PxeBcDhcp6Discover ( DiscoverLen =3D sizeof (EFI_DHCP6_HEADER); RequestLen = =3D DiscoverLen; + //+ // The request packet is generated by the= UEFI network stack. In the DHCP4 DORA and DHCP6 SARR sequence,+ // the fi= rst (discover in DHCP4 and solicit in DHCP6) and third (request in both DHC= P4 and DHCP6) are+ // generated by the DHCP client (the UEFI network stack= in this case). By the time this function executes,+ // the DHCP sequence = already has been executed once (see UEFI Specification Figures 24.2 and 24.= 3), with+ // Private->Dhcp6Request being a cached copy of the DHCP6 reques= t packet that UEFI network stack previously+ // generated and sent.+ //+ = // Therefore while this code looks like it could overflow, in practice it'= s not possible.+ // while (RequestLen < Request->Length) { OpCode = =3D NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpCode); OpLen =3D= NTOHS (((EFI_DHCP6_PACKET_OPTION *)RequestOpt)->OpLen); if ((OpCode != =3D EFI_DHCP6_IA_TYPE_NA) && (OpCode !=3D EFI_DHCP6_IA_TYPE_TA)) = {+ if (DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN= > DiscoverLenNeeded) {+ Status =3D EFI_OUT_OF_RESOURCES;+ go= to ON_ERROR;+ }+ // // Copy all the options except IA opti= on. //- CopyMem (DiscoverOpt, RequestOpt, OpLen + 4);- Disc= overOpt +=3D (OpLen + 4);- DiscoverLen +=3D (OpLen + 4);+ CopyMem= (DiscoverOpt, RequestOpt, OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)= ;+ DiscoverOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);= + DiscoverLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); = } - RequestOpt +=3D (OpLen + 4);- RequestLen +=3D (OpLen + 4);+ = RequestOpt +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN);+ Re= questLen +=3D (OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN); } Sta= tus =3D PxeBc->UdpWrite (--=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114967): https://edk2.groups.io/g/devel/message/114967 Mute This Topic: https://groups.io/mt/103964991/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-